HULK Takes Down Web Server

Tuesday, May 22, 2012 @ 12:05 PM gHale

HULK, is not only a superhero it is now a new DDoS tool that picks up where other exploits leave off. But, as it is with the comic book hero, do we really know if this HULK is for good or evil? You decide.

This HULK (HTTP Unbearable Load King) is a DDoS tool that is different from others in that it doesn’t simply hit a server with a massive load of TCP SYN requests or other predictable packets. Instead, it generates numerous unique requests designed to prevent server defenses from recognizing a pattern and filtering the attack traffic.

Russian Cybercrime Consolidates, Grows
Spammers: It Just Keeps Working
Rogue AV Lets Victims do Dirty Work
Fake Google Antivirus Circulates

The HULK DDoS tool is courtesy of Sectorix’s Barry Shteiman, a security pro who developed it out of frustration with the obvious patterns produced by other such tools.

“For a while now, I have been playing with some of the more exotic tools, finding that their main problem is always the same … they create repeatable patterns. too easy to predict the next request that is coming, and therefore mitigate. Some, although elegant, lack the horsepower to really put a system on its knees. For research purposes, I decided to take some of the lessons I’ve learned over time and practice what I preach.” he wrote in his notes on HULK.

“Enforcing Python’s engines, I wrote a script that generates some nicely crafted unique Http requests, one after the other, generating a fair load on a webserver, eventually exhausting it of resources. This can be optimized much, much further, but as a proof of concept and generic guidance it does its job. As a guideline, the main concept of HULK, is to generate Unique requests for each and every request generated, thus avoiding/bypassing caching engines and effecting directly on the server’s load itself.”

In order to confuse the target Web server as thoroughly as possible, Shteiman has included a number of different features in HULK, including the ability to hide the actual user agent and obfuscate the referrer for each request. In his own tests, Shteiman said the attack tool had no trouble taking down a target server within a minute or so.

“Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host,” he said.

Leave a Reply

You must be logged in to post a comment.