, , , , , , , , , , ,

While I largely believe in what 4Chan stands for, especially when it put a stop to ACS:Law sending threat letters to pensioners who were in fact innocent of copyright theft, the methods are still questionable. Only a small minority of Anonymous are real hackers who know how LOIC works, can write their own scripts, and are familiar enough with the law to get themselves out of trouble if they get caught. The rest are putting themselves at risk, at least until the hackers there start employing the more effective ways of slowing down servers and covering ther tracks, unless they’re already doing that and using LOIC as cover.

Readers should also be aware this is an entirely different game from previous efforts that took down the copyright law firms. The current targets are larger companies who employ real hackers and professionals to manage their servers, which is why relatively little disruption has been caused.
Hopefully this post will give enough information to deter those who don’t know the risks from joining Anonymous and ending up with a 10 year prison sentence.

Sophos Security, who have taken a less tolerant attitude to LOIC since 2008, has posted a more general introduction to the code on its site. This post goes into a ittle more detail. The LOIC DDoS attacks work like this:
– Download the LOIC client
– Configure the client to connect to an IRC server
– The target gets flooded with requests from the LOIC clients operating in ‘Hive’ mode.

This is a classic Distributed Denial of Service (DDoS) using a botnet, except in this case people volunteer to join it. It’s important to note the LOIC client is a legitimate security testing application, apparently developed by Praetox Technologies. It does not include code for masking the originator’s IP address, which will show up somewhere on the target server’s logs and can easily be traced back to the user’s ISP account, and eventually the local router. A couple of teenagers have already been arrested and police are now investigating the latest round of DDoS attacks.

Source Code
The C# source code for the LOIC client is available at GitHub for anyone who wants to look at it, and the executable should be found in the /bin directory. Readers might want to test the client on their own servers to see what shows up on the logs.
Most the files are for creating the interface, but three of them are of interest:

Main Form/GUI Code
The file frmMain.cs generates the main part of the user interface, and where the user specifies the URL or IP address of the target server. When the command IMMA CHARGIN MAH LAZER is recieved, the program does a series of checks for valid addresses, port numbers, payload, etc. before running the DDoS code for whichever of the three methods (TCP, UDP or XXP) is selected, until the command Stop Flooding is entered.

The rest of the code in that file’s for displaying the current status of the attack.

IRC and Hive Mode
In the ‘Hive’ mode, which is enabled with /hivemind entered, commands are sent to the LOIC client through IRC. The IRC server, channel and port are set through on of the Windows forms and defined in Program.cs, which uses the C# SmartIRC4NET library.

As you can see in the code, the default is channel #loic at port 6667. In this mode, the user has volunteered to join the botnet which collectively sends requests to whatever Anonymous decides the target is.

A typical command recieved by the client through IRC sets the parameters:
default targethost=http://server.com subsite=/ speed=3
threads=15 method=tcp message=Enjoy_the_DDoS port=80 start

Download the PDF version of the article here…