|
|
|
|
|
|
by bradleyland
5259 days ago
|
|
|
I did some Googling but was unable to find a lot of technical detail on the type of attack executed by LOIC. A quick glance at the source code on Github shows the capability for HTTP flooding, but the Wikipedia page mentions a TCP flood. I'm not sure whether it's capable of both, or which is used more in practice. In any event, the traffic from a web browser is going to look different from traffic generated by LOIC. A web browser is a very high-level tool with lots of constraints to keep web pages from doing "bad things". These constraints would make it pretty easy to profile traffic from web browsers vs LOIC. Granted, LOIC could mimic these constraints, but that would significantly diminish its operating capabilities. The whole conversation surrounding LOIC and this new web based tool is full of bad information and misunderstandings. |
|
|
It works like this: Your computer asks to open a TCP connection by sending a SYN packet to the server. The server responds with SYN/ACK. Your computer is expected to send ACK to complete the 3-way-handshake and to establish the connection. Except for, in this attack, your computer never sends ACK.
The server usually reserves a few resources to maintain that half-open connection, such as a socket and a thread that waits for the connection to finish.
If enough people do this, the server runs out of resources rather quickly and it's practically impossible to block it without a server farm. Even if a firewall-script prevents the server from crashing by limiting the number of open (half-open) connections, by blocking attacking IP addresses and by reducing their timeout, it can't be distinguished between legitimate traffic and DoS-traffic.
So, given that a single computer easily pumps out several hundred or even thousand requests per second, the amount of traffic quickly grows when many users are involved.
By the way, with a single computer, it is more or less impossible to take down a server with only SYN flooding, as your computer requires more or less the same computational power to establish the connection and most servers have more RAM and a bigger connection to the internet.
It really gets messy, when you use encryption, where the server has to do more computational work than a client. Then, you can easily DoS a server from a single computer. However, this is NOT done with the LOIC, but there was a tool recently that performs this kind of attack against, I forgot, I think Apache with a vulnerable OpenSSL version.
So, this whole attack is on OSI layer 4 and is indeed a TCP-based attack. HTTP traffic is on layer 5+ and it's not possible to achieve half-open TCP connections with a browser.
Nevertheless, a DoS is still possible. There are two ways:
1. Many clients ask simultaneously for a computational expensive operation. For example, some sort of filtering mechanism for the member list of a community site. Depending on the database backend, such a request can cause a more or less sophisticated SQL query.
These are usually the places where programmers should optimize their queries (or use caching etc.) to prevent the server from crashing.
2. Simply ask for a resource like an image or a larger JS-file, but do this often with many clients. This happens also, when a small blog writes a good article and is linked on HN or reddit. The incoming traffic is too big be handled.
Generally speaking, it depends heavily on the server's environment regarding caching, optimization, load balancing, a firewall script, an Intrusion Detection/Prevention System etc. whether or not a browser-based attack can be successful.