What is High Orbit Ion Cannon (HOIC)
High Orbit Ion Cannon (HOIC) is a free, open-source network stress application developed by Anonymous, a hacktivist collective, to replace the Low Orbit Ion Cannon (LOIC). Used for denial of service (DoS) and distributed denial of service (DDoS) attacks, it functions by flooding target systems with junk HTTP GET and POST requests.
HOIC was designed to improve upon several LOIC application flaws, including:
- Detection – HOIC uses booster scripts that let perpetrators scatter attack traffic and hide their geolocation. This differs from LOIC, which isn’t capable of obfuscating attacker IP addresses.
- Firepower – An individual HOIC user can launch a significant number of junk requests at a given time; as few as 50 perpetrators can execute a successful DDoS attack. This differs from LOIC, which requires thousands of users to coordinate and launch an attack.
Anonymous first used HOIC in 2012 during Operation Megaupload — at the time one of the largest DDoS assaults ever recorded. It was launched in retaliation for the shutting down of Megaupload, a filesharing website, and targeted websites belonging to the U.S. Department of Justice, the Recording Industry Association of America, the Motion Picture Association of America and Broadcast Music, Inc.
Attack description
Widespread HOIC availability means that users having limited knowledge and experience can execute potentially significant DDoS attacks. The application can open up to 256 simultaneous attack sessions at once, bringing down a target system by sending a continuous stream of junk traffic until legitimate requests are no longer able to be processed.
The HOIC application interface.
Unlike LOIC, which is able to launch TCP, UDP and HTTP GET floods, HOIC conducts attacks based solely on HTTP GET and POST requests.
Add-on scripts called boosters—not available in the LOIC application—can greatly increase attack magnitude. Boosters also let HOIC users customize the application and randomize assaults in order to circumvent caching mechanisms that protect servers from traffic spikes.
Despite booster use, the attack traffic amount generated by HOIC is still not enough for a single user to take down a target system. A successful DDoS assault can only be launched when a team of perpetrators operate HOIC simultaneously. A high degree of coordination is required among several users.
Methods of mitigation
HOIC’s deceptive and variation techniques make it more difficult for traditional security tools and firewalls to pinpoint and block DDoS attacks.
Imperva Website DDoS Protection secures against application layer DDoS attacks, including HTTP/S floods originating from HOIC nodes. The platform uses DNS redirection to route all traffic to your website through the Imperva network where all requests are analyzed and filtered before they reach your network.
Having a negligible (~0.001%) false positive rate, Imperva traffic inspection technology identifies and blocks malicious requests while allowing legitimate users through. Additionally, the Imperva content delivery network (CDN) improves user experience and decreases bandwidth consumption.
