High Orbit Ion Cannon (HOIC)

What is the High Orbit Ion Cannon?

The High Orbit Ion Cannon (HOIC) is a denial-of-service attack application often used by malicious hackers and activists. It is the successor of the Low Orbit Ion Cannon (LOIC) application, which was originally designed as an open-source network stress testing tool.

HOIC was developed by the hacktivist collective Anonymous during the final stages of Operation Payback. The tool is available on Sourceforge only for Windows but it can be ported to Linux and Mac. The names of both LOIC and HOIC were inspired by fictional weapons used in several video games, primarily Command & Conquer.

How does the High Orbit Ion Cannon work?

HOIC is an application-layer attack tool. It is more advanced than LOIC and designed to work using only HTTP floods (unlike LOIC, which uses TCP/UDP floods as well), sending HTTP POST and GET requests. It can attack up to 256 domains or IP addresses simultaneously using a large number of threads. It is especially effective against thread-based web servers such as Apache, particularly those that are not configured to mitigate application-layer attacks such as Slowloris and R.U.D.Y.

The key feature of HOIC is the ability to use booster scripts to increase DoS output. These custom scripts randomize headers, such as User-Agent, and introduce multiple attack targets (e.g. subdomains or specific pages). This makes DoS detection much more difficult but is still not enough to anonymize the attacker.

As an attack tool, HOIC is much more powerful than LOIC, but it lacks certain features of its predecessor. It is designed as a standalone application and has limited coordination capabilities. It works in GUI mode only and has no API, so it cannot be used in a botnet. While it is estimated that 50 HOIC users are enough to perform a major distributed denial-of-service attack (DDoS attack), it still has to be coordinated manually.

This tool was used by Anonymous for attacks on the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and the US Department of Justice (in retaliation for closing the file-sharing website Megaupload).

How to mitigate HOIC attacks?

Even a website with no vulnerabilities may fall victim to denial of service by HOIC, so web or network vulnerability scanners are not effective mitigation tools. Since HOIC randomizes headers, web application firewalls (WAFs) may have problems detecting such attacks. The best bet to detect such attacks early and raise an alarm is to use an intrusion detection system (IDS).

However, no locally installed tool can be as useful for DDoS attack mitigation as a resilient network infrastructure that can handle a lot of requests. That is why many companies choose to host their websites and application with cloud providers. Such cloud infrastructures combined with load balancing and traffic filtering will usually provide sufficient DDoS protection both due to the tools available and the sheer bandwidth for absorbing attack traffic.

The limited capabilities of HOIC also mean it cannot be remotely installed and effectively used on your web server by a malicious actor, even if a web vulnerability such as remote code execution (RCE) is found and successfully exploited. Since there is no JavaScript version of the tool, you are also safe from having it injected as a result of cross-site scripting.

Frequently asked questions

Written by: Tomasz Andrzej Nidecki, reviewed by: Zbigniew Banach