Wednesday, February 23, 2011

How to LOIC

Don't really know what to write about today, so I'm going to teach how to DoS a website using LOIC.

For those who don't know:
DoS = Denial of Service, not to be confused with DOS(disk operating system), or GLaDOS (Genetic Lifeform and Disk Operating System). 
DDoS = distributed denial of service attack, which is linking a bunch of computers together to take down a target site.
LOIC = Low Orbit Ion Cannon, an easy to use GUI, for performing DoS or DDoS attacks.
GUI = Graphical User Interface

How it works:
Basically DoS attacks work by overloading your target's servers with more page requests than they can handle.  This program called LOIC is capable of sending a lot of requests very fast.

Step 1:
Download LOIC.  You can get it at http://sourceforge.net/projects/loic/ by clicking the big green download button.  Note that some antivirus products may give you a warning.  Mine identified it as a hacker tool, which it is, but it isn't harmful to MY system, so i told it not to worry about it.  It won't harm your comp, so don't worry.

Step 2:
Set your target.  This can be used for website stability testing by attacking your own site, it isn't purely for malicious purposes.  So umm I guess I should absolve myself of liability and tell you not to use this to break the law, or something.

Sooo, for this example lets say I own stock in mastercard.  Since I own a share of the company I'd like to make sure my company's site is reliable.  In the "Select your Target" box you'd put in www.mastercard.com and click "Lock On".  If done correctly you'll see the targets IP number pop up in the display.  See pic for reference.






Step 3:
Attack mode and options.
TCP - this is the default and you shouldn't change it, for now.  Skip to step 4 until your IP gets banned.
UDP - sends junk requests in a different way, use this when your TCP requests stop working.
HTTP - actually calls the sites http server and reports on successful/unsuccessful downloads to use up their bandwidth.  It won't work once the site goes down though.

Step 4:
Press the big button in the upper right that says "IMMA CHARGIN MAH LAZER".  If set up properly, your requests will climb.  If/When they stop increasing you can try restarting LOIC or changing your IP.  Or see step 3 and check out UDP mode.  It should look like this:





Other Notes:
The site in the background of the above picture is a useful tool for checking that a site is really down.  You can use it by going to http://www.downforeveryoneorjustme.com/

Using a proxy:  You can't LOIC with a proxy, the requests will hit the proxy and not the target and it defeats the purpose.

Legal: DoSing(NOT DDoSing) is a legal grey area in most places but check local laws to be sure.  I've never heard of an arrest for a DoS, but have heard of a few for DDoSing(though it's incredibly rare and usually just if you're running the server).

Deciding who to target:  Use your power for good.  I know a lot of people used DDoS attacks against the Egyptian government recently to support the protests over there, and I approve of things like that.

Also sony recently started banning modified PS3s from online services, and I personally think that if you paid good money for the machine, it's yours to modify however you want and maybe they should be denied some services themselves, but I'm not suggesting you go out and target Sony.com on your own.  You wouldn't be likely to take them down without a strong network DDoS.  I just think they deserve the hit for what they're doing.

Support good or funny causes.  Hope somebody finds this article useful.  I just didn't have much to write about today.

50 comments:

  1. interesting post...never had the need to use stuff like this, and always worried about the trouble it might cause

    ReplyDelete
  2. nice tutorial, but this will be an open door for all the script kiddis :D

    ReplyDelete
  3. I remember windows 98 would Blue Screen from one Linux ping command LOL good stuff thanks :)

    ReplyDelete
  4. I guess I know what I'm doing tonight :P

    ReplyDelete
  5. Be careful bro, don't wanna see you get banned for a post like this :(

    ReplyDelete
  6. @Chris C.
    i might cover that in a future post. thanks for the idea.

    @Anon,
    yeah but i'm ok with that.

    @Rose,
    yes it is, but DoS isn't always illegal.

    @Isaac,
    As i mentioned. It is legitimately useful for website stability testing, so I don't think they'd ban me for teaching this.

    ReplyDelete
  7. @Chris C.
    I actually doubt i'll do a future post on it since i don't have linux installed on this machine currently. My advice would be look into slow loris, since I know there's a linux script for it somewhere...

    It's a different way to go about things, more of an http DoS or SYN flood, but it may still work depending on your goals with it.

    A good starting place for some info might be this link. :) hope it helps.

    ReplyDelete
  8. Cheers dude - I've often wondered how dos attacks were carried out

    ReplyDelete
  9. There are ways to DDOS without LOIC, which I prefer, as you don't rely on the software. I used to have an informational picture on it...

    ReplyDelete
  10. lol...back to the iffy stuff, eh? I'm actually glad I learn this. I didn't know there was an easy to use GUI for this stuff haha.

    ReplyDelete
  11. wow, very interesting and useful, thanks.
    Has anyone really used it? and can you do something alone or need a big group?

    ReplyDelete
  12. Very useful, definitely will only use this to "test" site stability ;).

    ReplyDelete
  13. Interesting about the egyptian dos'ing. That's a good way to look at it, though I heard of a few recent arrests about ddosing

    ReplyDelete
  14. @Rondariel,
    yeah i have that pic somewhere too, LOIC is just popular and easy so i figured I'd just write about that for now.

    @Havuelete,
    yes, i've used it successfully, and it depends on the site you want to point it at. that shot of mastercard getting taken down was not done solo. but you could probably test the stability of some smaller sites on your own.

    @Frosty,
    yeah during operation payback in december i know somebody in the netherlands got arrested for DDoS'ing postfinance bank, but it's pretty uncommon.

    ReplyDelete
  15. Very interesting :) Thanks for the information! :D

    ReplyDelete
  16. not planning on doing this anytime soon, but it's interesting to know more about it.

    ReplyDelete
  17. I've actually always wondered what people were talking about when they received a DoS attack, but I was always too bothered to actually look it up.

    ReplyDelete
  18. one of the few ways we can come together to fight an unjust cause.

    ReplyDelete
  19. so this is how its done...interesting

    ReplyDelete
  20. very interesting read, i might try this.
    following ;)

    ReplyDelete
  21. instantly clicked follow when i saw the title. nice work!

    ReplyDelete
  22. Man the harpoons--errrrr....yeah, I guess this would work instead. :)

    ReplyDelete
  23. This is a really great post, I learned so much here. I always wondered how this worked.

    ReplyDelete
  24. Nice, I definitely didn't know this crap. Thank you for the info, good sir!

    ReplyDelete
  25. I might use this sometime. Thanks for the info.

    ReplyDelete
  26. I'll keep that in mind, although in need quite a long work. Thanks!

    ReplyDelete
  27. will it knock an individual user offline... Like my neighbor?

    ReplyDelete
  28. nope sorry anon, it isnt really good for that.

    ReplyDelete
  29. why dont my request numbers move? it just sits at zero

    ReplyDelete
  30. i used the loic to test one of my sites and now i cant access any website from that server (webs.com). i think they blocked my ip, does the block ever get taken down or is there a way to get rid of it?

    ReplyDelete
  31. Since it won't go through proxy servers, does that mean that the people that I DDoS can directly track my IP back to my address?

    If so, then would having a dynamic IP actually make a difference?

    ReplyDelete
  32. German prisoners need dos app 4 f***king android 2.2 phone ...we will attack motherf***king justice if anybody help us ....

    ReplyDelete
  33. can i use a vpn rather than a proxy?

    ReplyDelete
  34. Yes it did open for the scripot kiddies like myself thanks for the post/tutorial I'm a script kiddy but getting there I mneed to upgrade my Machine excusemina@gmail.com

    ReplyDelete