HULK DDoS Tool Smash Web Server, Server Fall Down

For the aspiring attacker or pen tester, there is no shortage of attack tools, scripts, crimeware kits and exploits available online. But, the Internet being what it is, there’s always room for one more. Enter HULK, a new DDoS tool that arrives just in time to coincide with the release of some movie involving the actual Hulk and other CGI-ified mediocre-heroes.

For the aspiring attacker or pen tester, there is no shortage of attack tools, scripts, crimeware kits and exploits available online. But, the Internet being what it is, there’s always room for one more. Enter HULK, a new DDoS tool that arrives just in time to coincide with the release of some movie involving the actual Hulk and other CGI-ified mediocre-heroes.

The HULK (HTTP Unbearable Load King) DDoS tool is somewhat different from others of its ilk in that it doesn’t simply hammer a server with a massive load of TCP SYN requests or other predictable packets. Instead, HULK generates numerous unique requests designed to prevent server defenses from recognizing a pattern and filtering the attack traffic. The HULK DDoS tool is the work of Barry Shteiman, a security pro who developed it out of frustration with the obvious patterns produced by other such tools. 

For a while now, I have been playing with some of the more exotic tools, finding that their main problem is always the same… they create repeatable patterns. too easy to predict the next request that is coming, and therefor mitigate. Some, although elegant, lack the horsepower to really put a system on its knees,” he wrote in his notes on HULK. 

“Enforcing Python’s engines, I wrote a script that generates some nicely crafted unique Http requests, one after the other, generating a fair load on a webserver, eventually exhausting it of resources. this can be optimized much much further, but as a proof of concept and generic guidance it does its job. As a guideline, the main concept of HULK, is to generate Unique requests for each and every request generated, thus avoiding/bypassing caching engines and effecting directly on the server’s load itself.”

In order to confuse the target Web server as thoroughly as possible, Shteiman has included a number of different features in HULK, including the ability to hide the actual user agent and obfuscate the referrer for each request. In his own tests, Shteiman said that the attack tool had no trouble taking down a target server within a minute or so.

Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host,” he said.

Suggested articles

Drupal.org Resets Passwords After Data Breach

The Drupal Association is urging all users of Drupal.org and groups.drupal.org to reset their passwords after discovering an intrusion that breached files holding usernames, e-mail addresses, countries and hashed passwords. Sites that run on Drupal do not appear to be impacted, though the organization stressed an ongoing forensic review may reveal more details and victims. […]

Discussion

  • CP Constantine on

    Nice wannabe-movie-critic move there. You must be practising to get your 'mediocre pundit' merit badge.

    Ahh, the other 80% of the article is just quotations from other people. So the only actual content you contributed to this article is.. a cheap bash at a rather impressively fun genre film.

    Don't quit your day job.

     

  • Anonymous on

    "security pro's" don't create tools with no purpose other than to cause mischief. That's what security researchers do...also called "douchebags".
  • Jan van Niekerk on

    My IIS server falls over all by itself. I am so glad that there are now tools to help it with this task.
  • Anonymous on

    Yeah, IIS doesn't need any assistance to become unresponsive or completely fail.  The point of the tool, though, is something that has been discussed within security circles for years.  Most tools that do DDOSing are predictable to one extent or another and counter-measures are easy to put together to defend against them.  Logic would tell us that if you want a tool that isn't easily detected, then you'd have to put something together that doesn't follow known and predictable patterns.  What I don't think a lot of people know is that while this guy released the information about his tool, there are hundreds of tools just like his floating around out there within the "toolkits" of security researchers and similar professionals.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.