LOIC explained

I read in a Spanish magazine several months ago an article related to hacking. Specifically, it talked about the coordinated attack that a group of hackers did to PayPal, in response to the Julian Assange’s (Wikileaks) issue, you know, clasified documents, FBI, gobernments, international reports and all the mess it caused.

The article mentioned a tool, LOIC (Low Orbit Ion Cannon), which was used by these hackers to perform a DOS (Denegation Of Service) attack against PayPal. That caught my attention, so when I went home I searched on the Internet to get more information about that tool, and, if possible, get the source code, just to get a better idea of what it does behind the scenes.

So the code is available at sourceforge (http://sourceforge.net/), and, surprisingly, it’s written in .NET (.NET 3.5 actually); that made me very happy. The next is a summary of what this tool does. It’s a very simple and small application, but powerful at the same time. Those of you that expect strange and advanced tricks will possibly get dissapointed. Well, hacking is not always that beautiful, arcane and magic.

The application

This application performs a DOS attack by sending a lot of packages to a certain server. This is an old trick, but if you coordinate the attack with dozens or hundreds of people, you can make that a server becomes crazy! As it usually happens with lots of hacking tools, this one can be used conveniently to test the number of requests that a server can process, testing the workload and simulating a stress situation, probably before deployment.

Two kinds of attack are available: HTTP flooding and TCP/UDP flooding; this way you can try with a generic type of server or with a web server.

Hands on the code

The code is pretty simple. I noticed that it’s written in .NET 3.5 because of some LinQ pieces of code. It doesn’t matter, the real stuff is the XXPFlooder, which performs the TCP/UDP flooding, and the HTTPFlooder, which implements the HTTP flooding. Both classes implement the IFlooder interface:

interface IFlooder
int Delay { get; set; }

bool IsFlooding { get; set; }

void Start();

Basically it defines a state (IsFlooding) and a method to start flooding. Now the real stuff:

Socket socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp) { Blocking = Resp };
    while (this.IsFlooding)
        if (Delay > 0) System.Threading.Thread.Sleep(Delay);
catch { }

This defines a TCP socket and, while the attack is beeing performed (IsFlooding; an event raised when the user interrupts the attack by clicking on a button determines the end condition to stop) LOIC sends a package to the server.

The UDP and HTTP flooding are quite similar to the TCP flooding, so I won’t post them.

Ok, pretty simple, isn’t it? Not very effective; well, it sends a package after other, but lots of servers can support such a stress situation. Let’s take a look at something more interesting:

var bw = new BackgroundWorker();
bw.DoWork += new DoWorkEventHandler(bw_DoWork);

Ok, so the flooding is performed in a thread, launched in background. Sounds good. A thread which sends a package and then other packages until the user decides to stop it. But the trick here is that you can define several (let’s say, 100) of threads. Also the delay between each package that will be sent can be customized. So, you can perform a flooding attack sending 1000 packages using 1000 threads every 0,05 secs. simulteanously. THAT is fun. Now, think about dozens or hundreds of machines doing the same. THAT is gorgeous.

Finally the application contains a cool input validation, I’m pretty sure that you’ll find it very fun and the main form is created with WPF.

So, the code is pretty simple, basically it allows you to send packages to a server from different threads. By coordinating the attack with many people, it can become a serious problem. But we cool guys don’t do that. We use LOIC to test our production servers under stress situations before deploy a new application, right?

Enjoy ;-).