Update is in progress

What is the Low Orbit Ion Cannon (LOIC)?

The Low Orbit Ion Cannon is a tool commonly used to launch DoS and DDoS attacks. It was originally developed by “Praetox Technology” as a network stress-testing application, but it has since become open-source and is now mostly used with malicious intent. It is known for being a very user-friendly and accessible tool, and it gained notoriety for its use by members of hacktivist group Anonymous as well as users of the 4Chan forums.

This tool puts the ability to launch DDoS attacks in the hands of users with very little technical knowledge. It is widely available for download and has a simple point-and-click interface, additionally users can even launch attacks from a web browser using a JavaScript version called JS LOIC and a web version known as the Low Orbit Web Cannon.

A LOIC (Low Orbit Ion Cannon) is one of the most powerful DOS attacking tools freely available. If you follow news related to hacking and security issues, you doubtless have been hearing about this tool for the past several months. It has become widely used, including in some highly-publicized attacks against the PayPal, Mastercard and Visa servers a few months back. This tool was also the weapon of choice implemented by the famous hacker group, Anonymous, who have claimed responsibility for many high profile hacking attacks, among them, hacks against Sony, the FBI and other US security agencies. The group not only used this tool, but also requested that others download it and join Anonymous attacks via IRC.

About Original “LOIC Tool”:

The LOIC was originally developed by "Praetox Technologies" as a stress testing application before becoming available within the public domain. The tool is able to perform a simple dos attack by sending a large sequence of UDP, TCP or HTTP requests to the target server. It’s a very easy tool to use, even by those lacking any basic knowledge of hacking. The only thing a user needs to know for using the tool is the URL of the target. A would-be hacker need only then select some easy options (address of target system and method of attack) and click a button to start the attack. The tool takes the URL of the target server on which you want to perform the attack. You can also enter the IP address of the target system. The IP address of the target is used in place of an internal local network where DNS is not being used.

screenshot of LOIC Tool

The tool has three chief methods of attack: TCP, UDP and HTTP. You can select the method of attack on the target server. Some other options include timeout, TCP/UDP message, Port and threads.

The LOIC version used by Anonymous group attacks was different than the original LOIC. It had an option to connect the client to the IRC (Internet Relay Chat). This allowed the tool to be remotely controlled, using the IRC protocol. In that case, the user machine became part of a botnet. A botnet is a system of compromised computer systems connected to each other via the internet, which are in turn controlled by the attacker who directs the malware toward his / her target. The bigger the botnet, the more powerful the attack is.

How does the LOIC work?

It works by flooding a target server with TCP, UDP, or HTTP packets with the goal of disrupting service. One attacker using the LOIC can’t generate enough junk traffic to make a serious impact on a target; serious attacks require thousands of users to coordinate a simultaneous attack on the same target. In order to make these coordinated attacks easier, users can use IRC chat channels to run a ‘Hivemind’ version of the LOIC which lets one ‘master’ user control several networked ‘slave’ computers, creating a voluntary botnet. This is a popular approach because owners of the slave devices can claim they were innocent victims of an involuntary botnet.

LOIC hiveminds were used by Anonymous in 2008 to attack Church of Scientology websites in response to the Church’s legal efforts to take down YouTube videos. The LOIC was also notably used in 2010, when WikiLeaks supporters went after the Visa and MasterCard sites in response to the credit card companies freezing payments to WikiLeaks.

Types of the Attack By LOIC:

UDP Attack: To perform the UDP attack, select the method of attack as UDP. It has port 80 as the default option selected, but you can change this according to your need. Change the message string or leave it as the default.
TCP Attack: This method is similar to UDP attack. Select the type of attack as TCP to use this.
HTTP Attack: In this attack, the tool sends HTTP requests to the target server. A web application firewall can detect this type of attack easily.

Meaning of each field in LOIC Tool:

IDLE: It shows the number of threads idle. It should be zero for higher efficiency of the attack.
Connecting: This shows the number of threads that are trying to connect to the victim server.
Requesting: This shows the number of threads that are requesting some information from the victim server.
Downloading: This shows the number of threads that are initiating some download for some information from the server.
Downloaded: This number shows how many times data downloading has been initiated from victim server on which you are attacking.
Requested: This number shows how many times a data download has been requested from victim server.
Failed: This number shows how many times the server did not respond to the request. A larger number in this field means the server is going down. The success of the attack can be measured by the number shown in this field.


The windows version of LOIC has a feature called “HIVEMIND”. With this, users can connect their client to an IRC server. In this way, it can be controlled remotely, thus facilitating some risky attacks, so use this wisely. But connecting to an IRC server will not allow a remote administration of your machine or any other risks to your system: it will only control your LOIC client.

This method was used to collect more people in the DDOS attack against Visa, Mastercard, and other financial organizations that supported Wikileaks. (The attack was called “Operation Pay-back.”)

In this mode, thousands of system attacks on a single website to made a real impact. The more people that joined the attack via IRC, the more powerful the attack became.

Starting LOIC in HIVEMIND Mode:

Run following command in the command prompt:
LOIC.exe /hivemind irc.server.address
  • After running the above command, your LOIC client will connect to
  • You can also set more parameters in the command to use the tool in better way. Use port and channel too with the command.
  • LOIC.exe /hivemind irc.server.address:1234 #secret
  • It will connect to irc://irc.server.adress:1234/secret

    You can also run your LOIC in hidden mode while using it in HIVEMIND. Running in hidden mode means LOIC will run without any visible GUI at your windows system. Just add /HIDDDEN in your command.
  • LOIC.exe /hidden /hivemind irc.server.address
  • It will connect LOIC client to irc://irc.server.adress:6667/loic without any visible GUI on windows.

    This version of LOIC was released on 9th December, 2010. This web- based tool runs only on JavaScript-enabled web browsers.

    In JS LOIC, JS stands for JavaScript.

    This version of LOIC sends an ID and message with lots of connections with each ID and message. This is easier to use than the desktop version. Just visit the web page with a single HTML file and start the attack. The attack power of this version is same as from the desktop.

    Drawbacks of using LOIC:

    The main drawback of LOIC as a DOS attack tool is that it is very easy to find the attacker. This tool does not take any precautions to hide IP address of the origin of the attack. Attacks generated by this tool are simple and expose the IP address of attacker in each request packet sent to victim server to flood the request queue. If you are thinking that we can use proxies to solve this problem, you are wrong.

    Attackers cannot use proxies in these attacks because your requests will hit the proxy server, not the target server. So you will not be able to launch a DOS attack on the server effectively while using a proxy. But some analysts say that this can be used with a proxy server if the proxy is robust enough. According to them, all your request packets will be forwarded to the server system by proxy at the end.

    How to prevent the attack of LOIC:

  • Every website owner or server administrators should monitor the traffic and all the activities being performed on the server. This can help well enough against the attack.
  • Small LOIC HTTP attacks can be mitigated with a local firewall by having a server administrator look at the logs and identify the IPs of the attackers and dropping their requests.
    However this strategy won’t stand up to a large-scale attack where hundreds or even thousands of different attackers are working in tandem. Local firewalls also can’t protect against TCP or UDP floods, the latter of which can even target and disrupt a firewall.
  • A Web Application Firewall (WAF) can provide strong protection against HTTP floods, and dedicated DDoS protection can stop TCP and UDP attacks.

  • Fortunately, attackers using the LOIC are fairly easy to detect; it can’t be used through a proxy, so attackers’ IP addresses are visible to the target.
    Numerous countries have taken legal action against attackers using the LOIC including the U.S., U.K., Spain, and Turkey.


    In past few year, this tool has been downloaded millions of times and used against some big websites such as Mastercard, Visa, and PayPal to support Wikileaks. The group known as Anonymous used this tool to attack these websites, but it was not traceable. A lot of people joined the team with the IRC network, so no one knows who the real persons behind the group were, within such a large network of systems used in the attacks.

    This tool is available for free on the internet so any person can download it and create a problem for any website. Although catching the attacker is easy, protection against such an attack is relatively easy to achieve. It is suggested that each company and server administrator make sure that their firewall is configured to protect from the attack generated by LOIC.

    About Author :

    Sanjeev Singh
    Sanjeev Singh is Certified Cyber Security Specialist & Professional. Also, Founder of "CYBER4ALL Community".
    His area of interest are Red Teaming, Offensive Security, Digital forensics, Malware analysis & Security Assessments & Penetesting. He is active blogger and publisher of Cyber Security related articles on Cyber4All.
    LinkedIn Profile: Singhsanjeev617

    Warning :
    The articles and tutorials published on this site are performed under safe environments with all safety measures and supervision of Cyber Experts & Professionals. And it is only intend for educational purposes & to be aware about such activities. These contents should not be used for any illegal purposes.
    Always Remember,
    "Performing such things without taking concerns of respective owners of System & Resources is tottaly illegal and punishable under various IT Acts and Laws."