What is HULK - HTTP Unbearable Load King?

What is HULK? 

HULK is an abbreviation for HTTP Unbearable Load King, which is a web server Distributed Denial of Service tool. It is mainly designed for research purpose, and helps pen testers check the efficiency of a server. With its help, security specialists can find loopholes in their security implementation against DDoS, and correct them before an actual threat actor exploits it.

‍

The History

Barry Shteiman, a cybersecurity specialist (currently, the CTO of BlastRadius), created HULK in May, 2012. 

Barry was frustrated seeing how most of the pentesting tools generate predictable load packets or HTTP SYN requests, prohibiting security experts from checking the actual defense ability of their organizational networks. He wrote this Python script for DDoS attack testing. The purpose of its creation was to launch 'more real' attacks and test the actual efficiency of any server.

‍

How does HULK work?

HULK is very different from regular pentesting tools, attack scripts, and exploit methods. HULL generates a number of unique requests at irregular intervals from the same host. So, not only does it run a DDoS attack, the script also tries to prevent the network's defense mechanism from guessing the attack pattern. This makes it really tough to filter the traffic/packets.

Also, the tool has several features like referer request obfuscation and hiding the actual agent/actor. 

Let’s summarize the hulk web server tool’s working next:

• Hulk sends multiple unique requests to its target server sequentially. By doing so, it tries to exhaust the server’s resource pool and bring it down. Once the total of such requests reaches the concurrent connection count limit of server, legitimate user requests cannot be entertained
• Due to the versatility of its request, each request is capable of bypassing caching aids, intrusion detection tools, and other filtering mechanisms. 
• Shteiman tested it against a MS IIS7 server with 4 GB RAM. The script made the victim server kneel in < 1 minute. For this test, he sent out all requests from the same host.
• To boost attack’s rate, you will have to use multiple nodes and deploy significantly-heavy client-side resources.

‍

Some Techniques used by HULK

1. Obfuscation of Source Client

Hulk uses a good long list of known User Agents (see it in the next section) to obfuscate requests. So, for each request being generated, a random User Agent is picked. This trick makes it tough for intrusion prevention systems to detect the anomaly.

2. Stickiness

Hulk tries to create various keep-alive connections. The time durable for these connections varies. With this, it succeeds at opening various HTTP requests and holding resources of the available pool by sticking to it.

3. Reference Forgery 

Hulk forges its referer through obfuscation. It will either point to some major pre-listed websites or the host itself.

4. No-cache

Though Hulk already generates unique requests, it also enables no-cache for the target HTTP server. By doing so, it can bring a server – that hides behind a dedicated caching solution – down faster.

5. Unique URL Transforms

Creating various unique URLs for every request helps HULK bypass the caching tools and other filtering/optimization mechanisms. The tool, most of the time, receives a response OK (200) due to this feature.

‍

HULK’s Technicalities - A Quick Glimpse

Observation 1

If you will go through the Hulk.py script, you will see randomint function being used several times. For example, check out the request creation below:

request = urllib2.Request(url + param_joiner + buildblock(random.randint(3,10)) + '=' + buildblock(random.randint(3,10)))
        request.add_header('User-Agent', random.choice(headers_useragents))
        request.add_header('Cache-Control', 'no-cache')
        request.add_header('Accept-Charset', 'ISO-8859-1,utf-8;q=0.7,*;q=0.7')
        request.add_header('Referer', random.choice(headers_referers) + buildblock(random.randint(5,10)))
        request.add_header('Keep-Alive', random.randint(110,120))
        request.add_header('Connection', 'keep-alive')
        request.add_header('Host',host)

Observation 2

See this part of the script to have a look at which all user agents are utilized by HULK.

'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3'
'Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)'
'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)'
'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1'
'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1'
'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)'
'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)'
'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)'
'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)'
'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)')
'Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)'
'Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51'

Observation 3

Hulk begins the HTTP flooding attack with a typical TCP handshake. So, the SYN request is sent first, SYN ACK comes the next, and ACK thereafter. 

Once the first request bypasses the hurdles, the user agent starts sending diverse HTTP GET requests to the target URL. For this, it makes use of a randomized suffix.

Observation 4

The host sends out various HTTP GET requests with different/randomized suffices and receives the response as 200 (OK).

Observation 5

If you see the below HULK statistics, you will be able to understand the tool is very efficient. Its efficiency is proportional to the client-side resources and number of nodes utilized to run the attack. An attack can actually last (and succeed) within 8.818 sec or less!

‍

Conclusion

If you are a security specialist, penetration tester, or someone responsible for taking care of an organization’s cyber network, HULK is a perfect ally for testing. It’ll surely give you a hard time, and help you strengthen your network’s security. However, if you are thinking of using the Hulk web server tool for a cybercrime or an actual attack out of curiosity, beware that the tool creator has prohibited its misuse. You will be responsible for the consequences and troubles.