Low-Orbit Ion Canon

Recently there was an attack on Visa and Mastercard using the Low-Orbit Ion Cannon, an application that allows anyone to install the application, plug in an IRC server and port and then the attacking group can target whatever they want in a synchronized manner. I decided to spend some time to analyze the traffic streamed by the tool. I installed the tool in our test setup and started playing around with various options. The tool provides many options to stream traffic. By using manual setting, the tool can be set to stream the HTTP, TCP and UDP traffic on port 80. When we select TCP Option, as shown in figure 1.0, by default the tool sends “U dun goofed” in TCP packets. This default keyword can be changed. The request which is being generated by the tool is a malformed request since GET and POST request is missing.

Figure 1.0 showing the normal TCP requestgenerated by the tool When we select HTTP option as shown in figure 2.0, normal HTTP request is generated by the tool.

By using HTTP, TCP and UDP options, the tool can be used to generate a larger amount of request, thus flooding a web server with the fake requests leading to denial of service. It can be customized to generate a wide variety of traffic; also since the HTTP traffic can be a normal request, which further makes it challenging to detect it over the wire. Alert logic customers are protected by the default and other known variant of the traffic which is streamed by the tool. Acknowledgement The author would like to express his gratitude and thanks to Johnathan for providing feedback