Defending against the Low-Orbit-Ion-Cannon (LOIC)
David Holmes, 2012-23-01
It’s been a busy week for the security analysts at F5. The SOPA bill has been getting its technical teeth pulled out by the
likes of Dan Kaminsky during congressional hearings but passions around the social implications of the bill are running
high.
On Wednesday, January 18th, federal agencies from the US and New Zealand moved in on media-distribution site
MegaUpload.com, citing unauthorized media distribution as their charge. This was interpreted as the modern-day
sinking of the USS Merrimack in this skirmish between SOPA-backers and their opponents. The hactivist group
Anonymous, always ready for fight, have rallied around the MegaUpload.com seizures and launched distributed denial-ofservice (DDoS) attacks against the United States Department of Justice (www.justice.gov) and Warner Brother’s
Universal Music group (www.universalmusic.com). Both sites were down on Wednesday and Thursday. In an insightful
tweet, cryptographer Matt Blaze (author of my pseudo random number generator), pointed out the irony of the situation:
For the attack distribution, members of Anonymous modified the JavaScript version of their tool, dubbed the Low-OrbitIon-Cannon (LOIC), so that not only would it attack the Justice Department, it would do so if a user simply browsed to a
page containing the JavaScript itself . This particular version of the LOIC only performs HTTP floods (unlike the Windows
client which also does SYN floods and UDP floods).
As you can see from this JavaScript version of the LOIC, there is a message that the individual attacker can send in as
part of the payload of their attack: in this case, the default message is “Somos legión!” (“We are legion!”). The message is
appended to the URI as “msg=Somos%20legión!"” Security vendors can customized their defense solutions to watch
for this string and block those connections (or even black-list the originating IPs if they so choose – the LOIC has never
bothered to cloak its users).
Scanning a URI for specific strings is something that is particularly easy to do with F5’s iRules. With just a few minutes
spent on the DevCentral site’s tutorial section, you can create a simple iRule that looks for the default message and then
drops the associated connection. However, since Anonymous (or some other group or subgroup) may change the
message in the future, the iRule can be enhanced to reference a string class to which one can add more strings should
the message change. In the iRule below, we’ve added the original LOIC message that was used during the Wikileaks
attacks of 2010, “U dun goofed.”
First, create a string class and add additional payload strings as you see it (replaces spaces with %20).
ltm data‐group anonmsgs {
records {
Somos%20legi { }
U%20dun%20goofed { }
}
type string
}
}
type string
}
Then create this iRule that references the string class.
ltm rule loic_defense_class {
when HTTP_REQUEST {
if { [class match [HTTP::uri] contains anonmsgs] } {
log local0. "2012 attack from [IP::client_addr]:[TCP::client_port]"
drop } }
}
While this particular iRule is written and tested specifically against the JavaScript version of the LOIC, the technique is
applicable against any attack that includes a static payload. If your site is being attacked by any such tool using a
recognizable payload simply deploy this iRule or a similar one on the BIG-IPs in front of your servers.
If you are the victim of a more sophisticated DDoS campaign, perhaps one using synfloods, connfloods and UDP floods
there is an existing DevCentral article that details how to tune your BIG-IP for the best defense. The Windows version of
LOIC, for example, launches synfloods and UDP floods in addition to its HTTP floods. Happily, the SynCheck feature will
kick in automatically on the BIG-IP, but temporarily blocking UDP at the virtual level is something that may require manual
configuration if UDP is already being allowed by the application (an atypical configuration for most enterprise and data
center applications).
Debate around SOPA, PIPA and the new OPEN bill is still ongoing. Though some view the current controversy as a
digital media vs. internet freedom, a colleague of mine suggested a more nuanced analysis:
“It’s not about internet freedom vs. media piracy, it’s about the shifting terrain of intellectual property
rights, and the business models of the major industries involved being put at risk by changing
consumer consumption patterns. “
F5 Networks, Inc. | 401 Elliot Avenue West, Seattle, WA 98119 | 888-882-4447 | f5.com
F5 Networks, Inc.
Corporate Headquarters
[email protected]
F5 Networks
Asia-Pacific
[email protected]
F5 Networks Ltd.
Europe/Middle-East/Africa
[email protected]
F5 Networks
Japan K.K.
[email protected]
©2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5
trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no
endorsement or affiliation, express or implied, claimed by F5. CS04-00015 0113