We dissected the tool LOIC (Low Orbit Ion Cannon) made popular by the hacktivism group Anonymous. This tool uses a processor core count to determine how many threads it will use when sending its floods. These threads can be ordered to attack multiple targets simultaneously with very little modification to its code. The thread determination is a safe way of allowing the tool to run with very little processing power.
We amplified the effect of LOIC by replacing the core based approach with a .NET 4.0 Parallelism methodology. With this approach the amount of threads and the division of labor across the CPU bus is managed by the .NET framework and not hard coded to the number of cores. This simple modification allowed the CPU bus to determine if it could handle more threads on each core which greatly increased the effect; We observed over a 400% increase in the amount of flood packets released with minimal increase in the CPU utilization.
Other features that we can use with the Parallelism framework such as an adjustable CPU utilization technique allowed us to get a further increase in sent packets by adjusting the CPU usage to level out a set amount of CPU thread cycles vs. what the other applications (and the user) is utilizing on the given system. This adjustment can actually lead to a deadlock condition where we run out of source ports to send packets due to too many simultaneous threads opening or closing sockets when the level is set too high or there aren’t many competing application’s threads vying for cycles.
After collating the results from our eight test environments we show an average unaltered LOIC output of 10,300 connections/second. Our parallelized LOIC hit the ceiling of 64,500 connections/second and averaged 52,400 connections/second over time, or a 500% (5x) increase in effectiveness over the original code.
The implications of the new feature sets within the .NET Parallel namespace will likely greatly amplify the affect, amount and types of attacks being sent across the internet and within private networks. As more malware authors adopt these new features, we will need to be ever more vigilant on both DoS protection and on malware prevention as the virality of malware and effectiveness of DoS attacks will increase dramatically.
Update – 02/01/2013
Fun fact: This amplification by using basic multiprocessing capabilities has now been observed in the new LOIC being seeded across the internet. We expect to see more frequent and more powerful DDoS attacks in the coming months as the new tool is used. Services like CloudFlare will be busy trying to mitigate the new generation of DoS tools. Hopefully this arms race will lead to better prevention methodologies and technologies!