Wednesday, February 23, 2011

How to LOIC

Don't really know what to write about today, so I'm going to teach how to DoS a website using LOIC.

For those who don't know:
DoS = Denial of Service, not to be confused with DOS(disk operating system), or GLaDOS (Genetic Lifeform and Disk Operating System). 
DDoS = distributed denial of service attack, which is linking a bunch of computers together to take down a target site.
LOIC = Low Orbit Ion Cannon, an easy to use GUI, for performing DoS or DDoS attacks.
GUI = Graphical User Interface

How it works:
Basically DoS attacks work by overloading your target's servers with more page requests than they can handle.  This program called LOIC is capable of sending a lot of requests very fast.

Step 1:
Download LOIC.  You can get it at by clicking the big green download button.  Note that some antivirus products may give you a warning.  Mine identified it as a hacker tool, which it is, but it isn't harmful to MY system, so i told it not to worry about it.  It won't harm your comp, so don't worry.

Step 2:
Set your target.  This can be used for website stability testing by attacking your own site, it isn't purely for malicious purposes.  So umm I guess I should absolve myself of liability and tell you not to use this to break the law, or something.

Sooo, for this example lets say I own stock in mastercard.  Since I own a share of the company I'd like to make sure my company's site is reliable.  In the "Select your Target" box you'd put in and click "Lock On".  If done correctly you'll see the targets IP number pop up in the display.  See pic for reference.

Step 3:
Attack mode and options.
TCP - this is the default and you shouldn't change it, for now.  Skip to step 4 until your IP gets banned.
UDP - sends junk requests in a different way, use this when your TCP requests stop working.
HTTP - actually calls the sites http server and reports on successful/unsuccessful downloads to use up their bandwidth.  It won't work once the site goes down though.

Step 4:
Press the big button in the upper right that says "IMMA CHARGIN MAH LAZER".  If set up properly, your requests will climb.  If/When they stop increasing you can try restarting LOIC or changing your IP.  Or see step 3 and check out UDP mode.  It should look like this:

Other Notes:
The site in the background of the above picture is a useful tool for checking that a site is really down.  You can use it by going to

Using a proxy:  You can't LOIC with a proxy, the requests will hit the proxy and not the target and it defeats the purpose.

Legal: DoSing(NOT DDoSing) is a legal grey area in most places but check local laws to be sure.  I've never heard of an arrest for a DoS, but have heard of a few for DDoSing(though it's incredibly rare and usually just if you're running the server).

Deciding who to target:  Use your power for good.  I know a lot of people used DDoS attacks against the Egyptian government recently to support the protests over there, and I approve of things like that.

Also sony recently started banning modified PS3s from online services, and I personally think that if you paid good money for the machine, it's yours to modify however you want and maybe they should be denied some services themselves, but I'm not suggesting you go out and target on your own.  You wouldn't be likely to take them down without a strong network DDoS.  I just think they deserve the hit for what they're doing.

Support good or funny causes.  Hope somebody finds this article useful.  I just didn't have much to write about today.


  1. interesting post...never had the need to use stuff like this, and always worried about the trouble it might cause

  2. nice tutorial, but this will be an open door for all the script kiddis :D

  3. I remember windows 98 would Blue Screen from one Linux ping command LOL good stuff thanks :)

  4. I guess I know what I'm doing tonight :P

  5. Thanks for the info.

  6. Be careful bro, don't wanna see you get banned for a post like this :(

  7. @Chris C.
    i might cover that in a future post. thanks for the idea.

    yeah but i'm ok with that.

    yes it is, but DoS isn't always illegal.

    As i mentioned. It is legitimately useful for website stability testing, so I don't think they'd ban me for teaching this.

  8. @Chris C.
    I actually doubt i'll do a future post on it since i don't have linux installed on this machine currently. My advice would be look into slow loris, since I know there's a linux script for it somewhere...

    It's a different way to go about things, more of an http DoS or SYN flood, but it may still work depending on your goals with it.

    A good starting place for some info might be this link. :) hope it helps.

  9. Cheers dude - I've often wondered how dos attacks were carried out

  10. There are ways to DDOS without LOIC, which I prefer, as you don't rely on the software. I used to have an informational picture on it...

  11. lol...back to the iffy stuff, eh? I'm actually glad I learn this. I didn't know there was an easy to use GUI for this stuff haha.

  12. wow, very interesting and useful, thanks.
    Has anyone really used it? and can you do something alone or need a big group?

  13. Very useful, definitely will only use this to "test" site stability ;).

  14. Interesting about the egyptian dos'ing. That's a good way to look at it, though I heard of a few recent arrests about ddosing

  15. @Rondariel,
    yeah i have that pic somewhere too, LOIC is just popular and easy so i figured I'd just write about that for now.

    yes, i've used it successfully, and it depends on the site you want to point it at. that shot of mastercard getting taken down was not done solo. but you could probably test the stability of some smaller sites on your own.

    yeah during operation payback in december i know somebody in the netherlands got arrested for DDoS'ing postfinance bank, but it's pretty uncommon.

  16. Very interesting :) Thanks for the information! :D

  17. not planning on doing this anytime soon, but it's interesting to know more about it.

  18. I've actually always wondered what people were talking about when they received a DoS attack, but I was always too bothered to actually look it up.

  19. one of the few ways we can come together to fight an unjust cause.

  20. so this is how its done...interesting

  21. very interesting read, i might try this.
    following ;)

  22. instantly clicked follow when i saw the title. nice work!

  23. Man the harpoons--errrrr....yeah, I guess this would work instead. :)

  24. This is a really great post, I learned so much here. I always wondered how this worked.

  25. Nice, I definitely didn't know this crap. Thank you for the info, good sir!

  26. I might use this sometime. Thanks for the info.

  27. I'll keep that in mind, although in need quite a long work. Thanks!

  28. will it knock an individual user offline... Like my neighbor?

  29. nope sorry anon, it isnt really good for that.

  30. why dont my request numbers move? it just sits at zero

  31. i used the loic to test one of my sites and now i cant access any website from that server ( i think they blocked my ip, does the block ever get taken down or is there a way to get rid of it?

  32. Since it won't go through proxy servers, does that mean that the people that I DDoS can directly track my IP back to my address?

    If so, then would having a dynamic IP actually make a difference?

  33. German prisoners need dos app 4 f***king android 2.2 phone ...we will attack motherf***king justice if anybody help us ....

  34. can i use a vpn rather than a proxy?

  35. Yes it did open for the scripot kiddies like myself thanks for the post/tutorial I'm a script kiddy but getting there I mneed to upgrade my Machine