Are ten-year-old DoS tools still relevant in 2021?
Surprisingly, the answer is yes.
After the collapse of Anonymous in 2016, the threat landscape quickly changed. The once dominant group of Denial of Service (DoS) attacks organized with simple GUI-based tools was gone; As the era of Distributed Denial of Service (DDoS) attacks and DDoS-as-a-Service began to take shape under the power of new IoT botnets like Bashlite and Mirai.
While Anonymous has not completely disappeared, its digital footprint has shrunk considerably over the past five years. Today, you can still find anonymous accounts on the usual social media and video platforms disseminating operational propaganda, but with limited impact compared to the past. However, during a recent Anonymous operation, I was surprised to find that the group, which still uses PasteBin and GhostBin (to centralize operational details), had updated their target list from previous years and suggested l use of Memcached and other reflective attack vectors. They recommended using outdated DoS tools, such as LOIC, HOIC, ByteDoS, and Pyloris, all of which are nearly 10 years old.
Tools of the past
High Orbit Ion Cannon, or HOIC for short, is a network stress testing tool related to LOIC; both are used to launch denial of service attacks popularized by Anonymous. This tool can cause a denial of service through the use of HTTP streams. Additionally, HOIC has a built-in scripting system that accepts .hoic files called boosters. These files allow a user to deploy anti-DDoS randomization countermeasures and increase the scale of the attack.
While there are no meaningful obscuration or anonymization techniques to protect user origin, the use of .hoic “booster” scripts allows the user to specify a list of Target URLs, referrers, user agents, and rotating headers. This effectively causes a denial of service condition by attacking multiple pages on the same site while giving the impression that the attacks are coming from multiple different users.
[Click for Full Report: Quarterly Threat Intelligence Report]
Once considered a destructive tool, ByteDoS became new in 2021. ByteDos is a Windows desktop DoS application. It is a simple, stand-alone executable file that does not require installation and comes equipped with built-in IP resolver capabilities that allow this attack tool to resolve IP addresses of domain names. It also supports two attack vectors: SYN Flood and ICMP Flood, allowing the user to choose their preferred attack vector. ByteDos also supports attacks behind proxies, allowing attackers to hide their source and identity. The tool is quite common among hacktivists and anonymous supporters (it becomes very effective when used collectively by many attackers in a coordinated denial of service attack).
Pyloris is another who was once considered a destructive tool. Pyloris is a weak and slow HTTP DoS tool. Pyloris allows attacker to create HTTP requests with custom packet headers, cookies, packet sizes, timeouts, and end of line (CRLF) options. Pyloris’ objective is to keep the TCP connections open as long as possible between the attacker and the victim’s servers in order to try to exhaust the resources of the server’s connection table. Once exhausted, the server will no longer process new connections from legitimate users, resulting in a denial of service state.
How effective are old tools
The tools suggested for this Anonymous operation, and many others, are old and outdated, but oddly enough, they still have a place in the threat landscape. In a world of easy-to-create IoT botnets and cheap attack services, it’s strange how some suggest using tools that are nearly a decade old. And while it is not important to use these tools, they can still be effective when properly exploited against unsuspecting and unprotected websites. Below is a graph showing the events of the past year related to the LOIC, HOIC, HULK and SlowLoris attacks.
As you can see, these tools are still relevant in 2020/21 but not as popular or effective as they once were due to the changing threat landscape and advancements in mitigation technology. While Anonymous is no longer the threat they used to be, there is still a legacy risk that a lone wolf or group of threat-loving actors will appear with these tools and present some level of risk to unprotected people. .