Having a look at the DDOS tool used in the attacks today

Published: 2010-12-09
Last Updated: 2010-12-10 00:52:19 UTC
by Mark Hofman (Version: 2)

With the current wikileak driven DDOS attacks I thought I'd have a closer look at the tool being used to conduct the attack.

The tool that is being distributed if you wish to partake in the attack (and no that is not an invitation or endorsement) is an application called javaLOIC a Java port of Low Orbit Ion Cannon. A tool that can be used to test a site's resilience to DOS attacks. But obviously if you point it at someone else's the effect can be quite damaging.

To be honest there isn't really much to the application. A pretty screen with some buttons to press and a flood module that crafts some packets to send to the target to deal with.

You enter the twitter ID that has been communicated to you and then once you enter it on the screen you click the "Get Orders" button and when ready you click the "Fire!!" button. Other than that there isn't really that much to the application.

The application uses a hardcoded URL with an interchangeable twitter ID. It pulls a json file down and parses it for target, protocol and port information. When the "Fire!!!" Button is pressed a number of sessions are established with the target server (in my test cases 7 sessions were established). The string "hihihihihihihihihihihihihihihihi" is sent to the port (I assume this may be configurable). And that is basically it. The flood module cranks out multiple requests at a time and the target server gets busy

So in essence it is a whole bunch of people requesting a resource that is not available on the server. When you get enough people doing this, something has to give. In this case the web sites of the targets. If they have an IPS in place it may be as simple as looking for the above string to help slow the attack and keep the site up.

The twitter angle in this application piqued my interest, it is using the twitter API in a new and creative way, certainly one that hadn't readily occurred to me. However, I guess easy enough for twitter to deal with, but then it likely becomes a game of "wack-a-mole" of find the evil twitter account being used this time round.

Cheers

Mark H

UPDATE

A Java Script version of LOIC is also being used (thanks Jeff). As you can see from the screen shot it comes pre targeted, in this case paypal. There is also a mobile version which doesn't look as pretty and is currently not pre-targeted and uses the same http requests.

From the code it does a HTTP request from the target site and has some elements in the code as to not adversely affect the browser being used. Target changes are communicated via the IRC channel to participants. From the looks of it the code could easily be modified to "autofire" rather than require a user to chose to participate.

Keywords: DDOS tools

19 comment(s)

Firefox version 3.6.13 is being pushed out, time to update (thanks Vincent). Thunderbird 3.1.7 and 3.0.11 can also be added to the list as well as SeaMonkey 2.0.11. - M

Comments

cwqwqwq

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

dwqqqwqwq mashood

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

What's this all about ..?

password reveal .

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

https://thehomestore.com.pk/

Internet Storm Center

Having a look at the DDOS tool used in the attacks today

Comments

www

Nov 17th 2022
6 months ago

EEW

Nov 17th 2022
6 months ago

qwq

Nov 17th 2022
6 months ago

mashood

Nov 17th 2022
6 months ago

isc.sans.edu

Nov 23rd 2022
6 months ago

isc.sans.edu

Nov 23rd 2022
6 months ago

isc.sans.edu

Dec 3rd 2022
6 months ago

isc.sans.edu

Dec 3rd 2022
6 months ago

isc.sans.edu

Dec 26th 2022
5 months ago

isc.sans.edu

Dec 26th 2022
5 months ago

Having a look at the DDOS tool used in the attacks today

Comments

www

Nov 17th 20226 months ago

EEW

Nov 17th 20226 months ago

qwq

Nov 17th 20226 months ago

mashood

Nov 17th 20226 months ago

isc.sans.edu

Nov 23rd 20226 months ago

isc.sans.edu

Nov 23rd 20226 months ago

isc.sans.edu

Dec 3rd 20226 months ago

isc.sans.edu

Dec 3rd 20226 months ago

isc.sans.edu

Dec 26th 20225 months ago

isc.sans.edu

Dec 26th 20225 months ago

Nov 17th 2022
6 months ago

Nov 17th 2022
6 months ago

Nov 17th 2022
6 months ago

Nov 17th 2022
6 months ago

Nov 23rd 2022
6 months ago

Nov 23rd 2022
6 months ago

Dec 3rd 2022
6 months ago

Dec 3rd 2022
6 months ago

Dec 26th 2022
5 months ago

Dec 26th 2022
5 months ago