What is the Low Orbit Ion Cannon?

The Low Orbit Ion Cannon (LOIC) is an easy-to-use open-source network stress testing tool that is often misused for illegal denial-of-service (DoS) attacks.

Person works on a laptop


Low Orbit Ion Cannon: Definition

Written in the C# programming language, the Low Orbit Ion Cannon (LOIC) was originally developed by Praetox Technology as a tool for network stress testing. The name is derived from a fictional weapon of mass destruction from the computer game series “Command & Conquer”. Today, LOIC, which is now available as an open source program and web version, is mainly abused for illegal traffic overload attacks. Thanks to its user-friendly interface, even attackers with no technical know-how are able to use the tool to carry out coordinated DoS and DDoS attacks.


How does Low Orbit Ion Cannon work?

The operation of the LOIC is relatively simple: Attackers only need to configure a few settings to launch an attack. The Low Orbit Ion Cannon then “bombards” the target with masses of TCP packets, UDP packets or HTTP requests in order to overload the web server and thus paralyze the targeted service.

However, several attackers have to join forces to accomplish this, because one lone attacker cannot generate enough malicious traffic using LOIC. For a coordinated DDoS attack, the Low Orbit Ion Cannon can be operated in so-called “Hive Mind” mode. Several users connect their LOIC clients via an IRC server to form a voluntary botnet, which can then be controlled remotely from a central computer. The more LOIC instances that are interconnected in this way, the greater the impact of the coordinated attack.


Is the Low Orbit Ion Cannon legal?

The stress test tool itself is legal and freely available on the Internet. It should be noted, however, that it is only legal to perform load tests on your own IT infrastructures. Unauthorized use of the Low Orbit Ion Cannon against third-party targets violates the laws of most countries. In Germany, this is considered computer sabotage under § 303b StGB (German Criminal Code) and is subject to criminal prosecution. Attackers face fines and/or several years in prison.

Those who use LOIC for illegal overload attacks should expect to be quickly identified and prosecuted. Such attacks leave the IP addresses of the attackers visible to the target and they cannot be disguised via a proxy server, as the attack would otherwise hit the proxy instead of the actual target.


Are there any known examples of attacks using Low Orbit Ion Cannon?

The Low Orbit Ion Cannon was primarily used by the hacker collective Anonymous and members of the 4chan forum for several noteworthy DDoS attacks:

Project Chanology

In early 2008, Anonymous, together with supporters from the 4chan forum, used the LOIC for a series of DDoS attacks on Scientology websites. The hacker collective took this action in response to a copyright lawsuit filed against Youtube by the Church of Scientology. The Scientology organization had demanded that the video service and other websites delete a leaked video featuring actor Tom Cruise.

Operation Payback

Beginning in September 2010, Anonymous conducted multiple DDoS attacks against the websites of financial institutions, industry associations, and government agencies as part of “Operation Payback” using Low Orbit Ion Cannon. The hacker collective used these attacks to protest against the closure of the torrent site Pirate Bay and the blocking of Wikileaks’ donation account. The attacks were directed at the Motion Picture Association of America, the Recording Industry Association of America and the U.S. Copyright Office, among others. Later, Bank of America, Paypal and credit card companies such as Visa and Mastercard were also affected after they refused to forward donations to the whistleblower organization Wikileaks.

Operation Megaupload

In early 2012, Anonymous initiated DDoS attacks via LOIC in response to the closure of the file hosting company Megaupload. Targets included the websites of the FBI, the U.S. Department of Justice, U.S. film and music industry associations, and several record labels. According to the hacker collective, it was its largest attack campaign ever up to that point – a total of 5,635 people with their own LOIC instance are said to have participated.


How can you defend against traffic overload attacks by Low Orbit Ion Cannon?

Small LOIC attacks that attempt to overload a website with HTTP requests are still relatively easy to fend off. In such cases, it is sufficient to identify the IP addresses of the attackers and block or reject the attack traffic by means of a local firewall. In contrast, defending against TCP or UDP flood attacks, as well as larger HTTP flood attacks originating from hundreds or even thousands of LOIC clients simultaneously, requires a Web Application Firewall (WAF) or dedicated DDoS protection at the application level (Layer 7).

Protection systems for the network and transport layer (Layer 3 and 4), for example, do not recognize any difference between an HTTP flood attack and a valid download. Accordingly, to reliably detect attacks and secure a website or web application, companies need DDoS protection at all relevant layers. This is the only way operators can prevent attack-related disruptions and outages, which often result in lost revenue, image and trust.


Low Orbit Ion Cannon: What you need to know

Low Orbit Ion Cannon is a network stress testing tool that allows people without technical knowledge to perform illegal overload attacks on websites, web applications and APIs with just a few clicks. The tool enables coordinated HTTP, TCP and UDP flood attacks, the power of which increases with the number of LOIC instances inter-connected via the botnet. To effectively protect against such attacks, enterprises should deploy dedicated DDoS protection at the application level.