What is the Low Orbit Ion Cannon (LOIC)?

The Low Orbit Ion Cannon (LOIC) is a network stress testing application for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks that has been used by hacktivists. This article describes how the LOIC works, what limitations it has, and where it has been used. You will also learn how to defend against LOIC attacks.

This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.

The Low Orbit Ion Cannon (LOIC) is a network stress testing application created by Praetox Technologies. It is used as an attack tool in DoS/DDoS attacks. LOIC is a Windows application that was written in C# and it is currently available as an open-source project on Sourceforge and other platforms. It has been ported to many operating systems: Linux, OS X, Android, iOS. There is also a JavaScript version (JS LOIC) and a web version (Low Orbit Web Cannon).

Hacktivists from the 4chan Anonymous group used LOIC in the following attacks:

  • Project Chanology: An attack on the Church of Scientology (2008)
  • Operation Payback: An attack on the Recording Industry Association of America (RIAA), Visa, MasterCard, PayPal, and other organizations that opposed WikiLeaks (2010)
  • Operation Megaupload: An attack on Universal Music Group, the US Department of Justice, and other organizations that were involved in the shutdown of Megaupload (2012)

How does LOIC work?

LOIC is very simple: it floods a specific IP address with TCP or UDP packets or HTTP requests to a specific port. A single user running LOIC usually cannot cause a denial of service. However, a large number of users running LOIC cause the target server to slow down with the processing of legitimate requests because of the unusually high network traffic.

The Low Orbit Ion Cannon is very popular because it can be used by someone with minimum technical knowledge. For organized DDoS attacks, the application can be used in hivemind mode. In this mode, the user only connects to an IRC (Internet Relay Chat) channel. Commands with target systems and attack details are sent by the attack organizer to this channel. In this mode, one person has full control of LOIC instances on many user computers so the attack is performed with the use of a voluntary botnet.

The usability of LOIC is limited. Its activities cannot be anonymized or redirected through proxies. Therefore, everyone who participates in DDoS attacks using this tool can be easily identified and prosecuted. It is also very easy to block because all requests follow the same template. A more advanced version of LOIC – the High Orbit Ion Cannon (HOIC) – also exists and addresses some of these limitations.

How to defend against LOIC?

It is best to defend against LOIC attacks at the level of the internet service provider (ISP). Many large providers already have DDoS mitigation mechanisms. Major cloud storage providers have such high bandwidth that LOIC attacks have very little effect.

If you host your own web server, you can defend against LOIC and similar attacks with the use of intrusion detection and prevention systems such as Snort. Once you spot a LOIC attack, you can simply filter out all packets from specific IPs. To protect yourself, you can also configure your firewall to limit the number of requests per minute. This will filter out attack traffic but will have no effect on legitimate users.

Zbigniew Banach

About the Author

Zbigniew Banach - Senior Technical Content Writer

Cybersecurity writer at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.