LOIC (low orbit ion cannon) - DOS attacking tool

Deepanker Verma
December 21, 2011 by
Deepanker Verma

The DOS (Denial of service) attack is one of the more powerful hacks, capable of completely taking a server down. In this way, the server will not be able to handle the requests of valid users. With a DOS attack, many computer systems connected to the internet will try to flood a server with false requests, leading to a service disruption. There are many ways in which an attacker can enact this attack on a server system over the network or the internet. Some hackers try this attack with their own coded tools while others use previously available tools.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

A LOIC (Low Orbit Ion Cannon) is one of the most powerful DOS attacking tools freely available. If you follow news related to hacking and security issues, you doubtless have been hearing about this tool for the past several months. It has become widely used, including in some highly-publicized attacks against the PayPal, Mastercard and Visa servers a few months back. This tool was also the weapon of choice implemented by the (in)famous hacker group, Anonymous, who have claimed responsibility for many high profile hacking attacks, among them, hacks against Sony, the FBI and other US security agencies. The group not only used this tool, but also requested that others download it and join Anonymous attacks via IRC.

In this brief article, I will give an overview and operational model of the tool. There are 2 versions of the tool: the first is the binary version, which is the original LOIC tool. The other is web-based LOIC or JS LOIC.

Figure 1: Original LOIC

About the original LOIC tool

The LOIC was originally developed by Praetox Technologies as a stress testing application before becoming available within the public domain. The tool is able to perform a simple dos attack by sending a large sequence of UDP, TCP or HTTP requests to the target server. It's a very easy tool to use, even by those lacking any basic knowledge of hacking. The only thing a user needs to know for using the tool is the URL of the target. A would-be hacker need only then select some easy options (address of target system and method of attack) and click a button to start the attack.

The tool takes the URL of the target server on which you want to perform the attack. You can also enter the IP address of the target system. The IP address of the target is used in place of an internal local network where DNS is not being used. The tool has three chief methods of attack: TCP, UDP and HTTP. You can select the method of attack on the target server. Some other options include timeout, TCP/UDP message, Port and threads. See the basic screen of the tool in the snapshot above in Figure 1.

The LOIC version used by Anonymous group attacks was different than the original LOIC. It had an option to connect the client to the IRC (Internet Relay Chat). This allowed the tool to be remotely controlled, using the IRC protocol. In that case, the user machine became part of a botnet. A botnet is a system of compromised computer systems connected to each other via the internet, which are in turn controlled by the attacker who directs the malware toward his / her target. The bigger the botnet, the more powerful the attack is.

Figure 2: Modified version of LOIC with an option for IRC connect

Type of attacks

As I'd mentioned previously, the LOIC uses three different types of attacks (TCP, UDP and HTTP). All three methods implement the same mechanism of attack. The tool opens multiple connections to the target server and sends a continuous sequence of messages which can be defined from the TCP/UDP message parameter option available on the tool. In the TCP and UDP attacks, the string is sent as a plain text but in the HTTP attack, it is included in the contents of a HTTP GET message.

This tool continues sending requests to the target server; after some time, the target server becomes overloaded. In this way, the target server will no longer be able to respond to requests from legitimate users, effectively shutting it down.

Analysis of the attack

UDP Attack: To perform the UDP attack, select the method of attack as UDP. It has port 80 as the default option selected, but you can change this according to your need. Change the message string or leave it as the default.

TCP Attack: This method is similar to UDP attack. Select the type of attack as TCP to use this.

HTTP Attack: In this attack, the tool sends HTTP requests to the target server. A web application firewall can detect this type of attack easily.

How to use LOIC to perform a Dos attack: Just follow these simple steps to enact a DOS attack against a website (but do so at your own risk).

  • Step 1: Run the tool.
  • Step 2: Enter the URL of the website in The URL field and click on Lock O. Then, select attack method (TCP, UDP or HTTP). I will recommend TCP to start. These 2 options are necessary to start the attack.

Figure3: LOIC in action (I painted the URL and IP white to hide the identity of the victim in snap)

  • Step 3: Change other parameters per your choice or leave it to the default. Now click on the Big Button labeled as "IMMA CHARGIN MAH LAZER." You have just mounted an attack on the target.

After starting the attack you will see some numbers in the Attack status fields. When the requested number stops increasing, restart the LOIC or change the IP. You can also give the UDP attack a try. Users can also set the speed of the attack by the slider. It is set to faster as default but you can slow down it with the slider. I don't think anyone is going to slow down the attack.

Here's the meaning of each field:

  • IDLE: It shows the number of threads idle. It should be zero for higher efficiency of the attack.
  • Connecting: This shows the number of threads that are trying to connect to the victim server.
  • Requesting: This shows the number of threads that are requesting some information from the victim server.
  • Downloading: This shows the number of threads that are initiating some download for some information from the server.
  • Downloaded: This number shows how many times data downloading has been initiated from victim server on which you are attacking.
  • Requested: This number shows how many times a data download has been requested from victim server.
  • Failed: This number shows how many times the server did not respond to the request. A larger number in this field means the server is going down. The success of the attack can be measured by the number shown in this field.


The windows version of LOIC has a feature called HIVEMIND. With this, users can connect their client to an IRC server. In this way, it can be controlled remotely, thus facilitating some risky attacks, so use this wisely. But connecting to an IRC server will not allow a remote administration of your machine or any other risks to your system: it will only control your LOIC client. This method was used to collect more people in the DDOS attack against Visa, Mastercard, and other financial organizations that supported Wikileaks. (The attack was called "Operation Pay-back.")

In this mode, thousands of system attacks on a single website to made a real impact. The more people that joined the attack via IRC, the more powerful the attack became.

To start LOIC in HIVEMIND mode, run this command in the command prompt:

LOIC.exe /hivemind irc.server.address

After running the above command, your LOIC client will connect to irc://irc.server.adress:6667/loic

You can also set more parameters in the command to use the tool in better way. Use port and channel too with the command.

LOIC.exe /hivemind irc.server.address 1234 #secret

It will connect to irc://irc.server.adress:1234/secret

Hidden mode

You can also run your LOIC in hidden mode while using it in HIVEMIND. Running in hidden mode means LOIC will run without any visible GUI at your windows system. Just add /HIDDDEN in your command.

LOIC.exe /hidden /hivemind irc.server.address

It will connect LOIC client to irc://irc.server.adress:6667/loic without any visible GUI on windows.

Web-based LOIC (JS LOIC)

This version of LOIC was released on 9th December, 2010. This web- based tool runs only on JavaScript-enabled web browsers. In JS LOIC, JS stands for JavaScript This version of LOIC sends an ID and message with lots of connections with each ID and message. This is easier to use than the desktop version. Just visit the web page with a single HTML file and start the attack. The attack power of this version is same as from the desktop.

Drawbacks of using LOIC

The main drawback of LOIC as a DOS attack tool is that it is very easy to find the attacker. This tool does not take any precautions to hide IP address of the origin of the attack. Attacks generated by this tool are simple and expose the IP address of attacker in each request packet sent to victim server to flood the request queue. If you are thinking that we can use proxies to solve this problem, you are wrong. Attackers cannot use proxies in these attacks because your requests will hit the proxy server, not the target server. So you will not be able to launch a DOS attack on the server effectively while using a proxy. But some analysts say that this can be used with a proxy server if the proxy is robust enough. According to them, all your request packets will be forwarded to the server system by proxy at the end.

How to prevent the attack of LOIC

LOIC is available for free to download and use, and can be used effectively with very little hacking experience. Anyone that wants to can attack a website with this tool.

As discussed above, the attack of this tool is simple and easy to identify. A well-configured firewall is enough to prevent the attack from being fully effective. And a server administrator can see the request logs to identify the IP and block the IP from the server. Every website owner or server administrators should monitor the traffic and all the activities being performed on the server. This can help well enough against the attack. But this will not help you when a network of LOIC clients will fire on the server system all at once. Protecting the server with a Firewall configured to filter the packets sent by the LOIC is the best way to protect against the attack.


In past few months, this tool was downloaded millions of times and used against some big websites such as Mastercard, Visa, and PayPal to support Wikileaks. The group known as Anonymous used this tool to attack these websites, but it was not traceable. A lot of people joined the team with the IRC network, so no one knows who the real persons behind the group were, within such a large network of systems used in the attacks.

Use of this tool means sending some one threatening messages with your address and phone number. You will be easily caught. In some countries, a DOS attack is not illegal. You can use this tool as an individual, but this tool is not going to help you if you will use it with your system alone. You will need a network of systems to join your attack. This tool is easy to use and see the demonstration of DOS attack. But try it on your own risk.

This tool is available for free on the internet so any person can download it and create a problem for any website. Although catching the attacker is easy, protection against such an attack is relatively easy to achieve. I suggest each company and server administrator make sure that their firewall is configured to protect from the attack generated by LOIC.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Deepanker Verma
Deepanker Verma

Deepanker Verma is a computer geek who loves to play with security. He is the founder of a leading security website www.hackingtricks.in where he writes about hacking and security related topics. He has also conducted some ethical hacking workshops in India and trained many students. He has been published in the IJCSIS journal, and has written a security article on CSRF vulnerability for an IEEE conference. He also works as a researcher at InfoSec Institute.