in Business, Challenge, Security

Possible flaw in LOIC – Tool used to DDoS Amazon

Hitting the news today is a concerted DDoS attack effort directed at Amazon as vendetta for its role in ousting Wikileaks.org off its hosting cloud. The attackers are so determined they are asking everybody on the planet to download this program called Low Orbit Ion Canon (LOIC) and launch it against Amazon. In this post, we’rel sharing a flaw in the program that we think can be used to mitigate the attack, to an extent.

The program is written in C# with its source code available for anyone to inspect it and modify it. In fact one has to compile the code in order to use the tool. The flaw in this program is apparent in the source code of the program. In file HTTPFlooder.cs at line 63, the payload of the request is constructed like this:

byte[] buf = System.Text.Encoding.ASCII.GetBytes(String.Format(“GET {0} HTTP/1.0{1}{1}{1}”, Subsite, Environment.NewLine));

This is at the heart of the attack. It consists of a flood of HTTP GET request using protocol 1.0. These kind of attacks are difficult to defend against because the request looks very similar to a legitimate request coming from a typical Web user. The request flows through several layers in the OSI stack and exhausts a lot of computing resources – all the way to the 7th logical layer of the OSI model.

But notice that this request is missing the host header (Example: Host: www.amazon.com). This fact alone can help with filtering the attack. One could ensure that all requests contain this important header either in the Web server configuration (imperfect solution). The optimal solution, however, is to introduce specialized ASIC deep packet inspection devices with proper signatures to filter out the attack.

That’s all folks!

  1. Host: is not required for HTTP/1.0 requests, it is required for HTTP/1.1 requests.

    So no, this knowledge will do nothing to stop the attacks.

  2. That a perfectly valid HTTP 1.0 request, so without risking additional conditional processing or blocking legit clients, it’s not going to be much help. HTTP 1.0 allows two request types. The one you’re describing, i.e., without the host header, is called a Simple Request. It was designed for compatibility with HTTP 0.9.

    See http://www.w3.org/Protocols/HTTP/1.0/spec.html#Request.

  3. The Host header was specified in HTTP 1.1. An HTTP 1.0 request is not expected to include a Host header.

Comments are closed.

Webmentions

  • rimonabantexcellence site title March 8, 2011

    […] Hello http://blog.unixy.net/2010/12/possible-flaw-in-loic-tool-used-to-ddos-amazon/ […]

  • Aqua Teen Hunger Force March 8, 2011

    aquateen hunger force quotes frylock…

    aquateen hunger force quotes hacky sack…

  • Cute Pictures March 8, 2011

    I enjoyed reading this a lot…

    I really hope to read more of your posts in the future, so I’ve bookmarked your blog. But I couldn’t just bookmark it, oh no.. When I see quality website’s like this one, I like to share it with others So I’ve created a backlink to your site (from …

  • “All People Seem To Need Data Processing” – a simple lesson on the OSI model for the brain-damaged ‘computer wizard’ djdonee « BENZO WITHDRAWAL . COM March 8, 2011

    […] Possible flaw in LOIC – Tool used to DDoS Amazon (unixy.net) […]

  • World Spinner March 8, 2011

    Possible flaw in LOIC – Tool used to DDoS Amazon | UNIXy…

    Here at World Spinner we are debating the same thing……

  • Tweets that mention Possible flaw in LOIC - Tool used to DDoS Amazon | UNIXy -- Topsy.com March 8, 2011

    […] This post was mentioned on Twitter by Marc Parent, Hacker News YC, bartezzini, David S, Matt and others. Matt said: RT @mparent77772: Possible flaw in LOIC – Tool used to DDoS Amazon http://bit.ly/fiq4dG#cablegate #wikileaks #wikileaks […]