The High Orbit Ion Cannon (HOIC) is an open source network stress testing application available on Sourceforge.net. It is most often used by hacktivists as an attack tool for denial of service (DoS) and distributed denial of service (DDoS) attacks. It is the successor of the Low Orbit Ion Cannon (LOIC) application. It was developed by the hacktivist collective Anonymous as a conclusion of Operation Payback. The tool is available only for Windows but it can be ported to Linux and Mac. Names of both LOIC and HOIC were inspired by weapons used in video games.

The HOIC is more advanced than LOIC and designed to work using HTTP floods only (unlike LOIC that also uses TCP/UDP floods). It sends HTTP POST and HTTP GET requests. It can attack up to 256 domains simultaneously using a large number of threads. Its key feature is the ability to use booster scripts to increase DoS output. These custom scripts randomize headers such as the user-agent and introduce multiple attack targets (e.g. subdomains or specific pages). This makes DoS detection much more difficult but is still not enough to anonymize the attacker.

HOIC is much stronger than LOIC but lacks certain features of its predecessor. It is designed as a standalone application and has limited coordination capabilities. It works in GUI mode only so it cannot be used as a zombie. It is said that 50 HOIC users are enough to perform a major DDoS attack. HOIC was used by Anonymous for attacks on the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and the US Department of Justice (in retaliation for closing the file-sharing website Megaupload).

How Can I Protect Myself Against HOIC?

Even a website with no vulnerabilities may become a victim of a HOIC attack, so web/network vulnerability scanners cannot be used to protect against them. Since HOIC randomizes headers, web application firewalls (WAF) may have problems detecting such attacks. The best bet to protect yourself are intrusion detection systems (IDS) or intrusion prevention systems (IPS).

However, no locally installed tool is as useful in protecting against DDoS attacks as a good infrastructure that can handle a lot of requests. That is why many companies choose major virtual clouds to host their websites. Such clouds have the means to protect your website: not only the tools but the sheer bandwidth capabilities.

Luckily, due to the limited capabilities of HOIC, it cannot be effectively installed and used on your web server as a result of an attack (for example, command injection, code injection or SQL Injection). Since there is no JavaScript version, you are also safe from having it injected as a result of Cross-site scripting.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.