Do you know about HULK?
No – Not that the reel-life Hulk that brings enemies on knees. However, the Hulk web server also functions in a very similar way in the digital world. It runs a DDoS attack on its target server to bring it down – without using a visible hammer.
Often used by penetration testers, the HTTP Unbearable Load King (HULK) script generates multiple unique requests from a single host. That’s what separates it from the rest of the pen testing tools or DDoS tools across the globe.
Good thing is, HULK is a researcher’s creation and not an actual cybercriminal’s accomplice. Let's get acquainted with Hulk Web Server quickly in the next few minutes.
HULK is an abbreviation for HTTP Unbearable Load King, which is a web server Distributed Denial of Service tool. It is mainly designed for research purpose, and helps pen testers check the efficiency of a server. With its help, security specialists can find loopholes in their security implementation against DDoS, and correct them before an actual threat actor exploits it.
Barry Shteiman, a cybersecurity specialist (currently, the CTO of BlastRadius), created HULK in May, 2012.
Barry was frustrated seeing how most of the pentesting tools generate predictable load packets or HTTP SYN requests, prohibiting security experts from checking the actual defense ability of their organizational networks. He wrote this Python script for DDoS attack testing. The purpose of its creation was to launch 'more real' attacks and test the actual efficiency of any server.
HULK is very different from regular pentesting tools, attack scripts, and exploit methods. HULL generates a number of unique requests at irregular intervals from the same host. So, not only does it run a DDoS attack, the script also tries to prevent the network's defense mechanism from guessing the attack pattern. This makes it really tough to filter the traffic/packets.
Also, the tool has several features like referer request obfuscation and hiding the actual agent/actor.
Let’s summarize the hulk web server tool’s working next:
Hulk uses a good long list of known User Agents (see it in the next section) to obfuscate requests. So, for each request being generated, a random User Agent is picked. This trick makes it tough for intrusion prevention systems to detect the anomaly.
Hulk tries to create various keep-alive connections. The time durable for these connections varies. With this, it succeeds at opening various HTTP requests and holding resources of the available pool by sticking to it.
Hulk forges its referer through obfuscation. It will either point to some major pre-listed websites or the host itself.
Though Hulk already generates unique requests, it also enables no-cache for the target HTTP server. By doing so, it can bring a server – that hides behind a dedicated caching solution – down faster.
Creating various unique URLs for every request helps HULK bypass the caching tools and other filtering/optimization mechanisms. The tool, most of the time, receives a response OK (200) due to this feature.
If you will go through the Hulk.py script, you will see randomint function being used several times. For example, check out the request creation below:
See this part of the script to have a look at which all user agents are utilized by HULK.
Hulk begins the HTTP flooding attack with a typical TCP handshake. So, the SYN request is sent first, SYN ACK comes the next, and ACK thereafter.
Once the first request bypasses the hurdles, the user agent starts sending diverse HTTP GET requests to the target URL. For this, it makes use of a randomized suffix.
The host sends out various HTTP GET requests with different/randomized suffices and receives the response as 200 (OK).
If you see the below HULK statistics, you will be able to understand the tool is very efficient. Its efficiency is proportional to the client-side resources and number of nodes utilized to run the attack. An attack can actually last (and succeed) within 8.818 sec or less!
If you are a security specialist, penetration tester, or someone responsible for taking care of an organization’s cyber network, HULK is a perfect ally for testing. It’ll surely give you a hard time, and help you strengthen your network’s security. However, if you are thinking of using the Hulk web server tool for a cybercrime or an actual attack out of curiosity, beware that the tool creator has prohibited its misuse. You will be responsible for the consequences and troubles.
Subscribe for the latest news