Join us at Atlanta API Security Summit 2024!
Join us at Atlanta API Security Summit 2024!
Join us at Atlanta API Security Summit 2024!
Join us at Atlanta API Security Summit 2024!
Join us at Atlanta API Security Summit 2024!
Join us at Atlanta API Security Summit 2024!
Close
Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
/
/
Attacks

What is HULK - HTTP Unbearable Load King?

Do you know about HULK?

No – Not that the reel-life Hulk that brings enemies on knees. However, the Hulk web server also functions in a very similar way in the digital world. It runs a DDoS attack on its target server to bring it down – without using a visible hammer. 

Often used by penetration testers, the HTTP Unbearable Load King (HULK) script generates multiple unique requests from a single host. That’s what separates it from the rest of the pen testing tools or DDoS tools across the globe.

Good thing is, HULK is a researcher’s creation and not an actual cybercriminal’s accomplice. Let's get acquainted with Hulk Web Server quickly in the next few minutes.

What is HULK - HTTP Unbearable Load King?

What is HULK? 

HULK is an abbreviation for HTTP Unbearable Load King, which is a web server Distributed Denial of Service tool. It is mainly designed for research purpose, and helps pen testers check the efficiency of a server. With its help, security specialists can find loopholes in their security implementation against DDoS, and correct them before an actual threat actor exploits it.

The History

Barry Shteiman, a cybersecurity specialist (currently, the CTO of BlastRadius), created HULK in May, 2012. 

Barry was frustrated seeing how most of the pentesting tools generate predictable load packets or HTTP SYN requests, prohibiting security experts from checking the actual defense ability of their organizational networks. He wrote this Python script for DDoS attack testing. The purpose of its creation was to launch 'more real' attacks and test the actual efficiency of any server.

How does HULK work?

HULK is very different from regular pentesting tools, attack scripts, and exploit methods. HULL generates a number of unique requests at irregular intervals from the same host. So, not only does it run a DDoS attack, the script also tries to prevent the network's defense mechanism from guessing the attack pattern. This makes it really tough to filter the traffic/packets.

Also, the tool has several features like referer request obfuscation and hiding the actual agent/actor. 

Let’s summarize the hulk web server tool’s working next:

  • Hulk sends multiple unique requests to its target server sequentially. By doing so, it tries to exhaust the server’s resource pool and bring it down. Once the total of such requests reaches the concurrent connection count limit of server, legitimate user requests cannot be entertained
  • Due to the versatility of its request, each request is capable of bypassing caching aids, intrusion detection tools, and other filtering mechanisms. 
  • Shteiman tested it against a MS IIS7 server with 4 GB RAM. The script made the victim server kneel in < 1 minute. For this test, he sent out all requests from the same host.
  • To boost attack’s rate, you will have to use multiple nodes and deploy significantly-heavy client-side resources.

Some Techniques used by HULK

  1. Obfuscation of Source Client

Hulk uses a good long list of known User Agents (see it in the next section) to obfuscate requests. So, for each request being generated, a random User Agent is picked. This trick makes it tough for intrusion prevention systems to detect the anomaly.

  1. Stickiness

Hulk tries to create various keep-alive connections. The time durable for these connections varies. With this, it succeeds at opening various HTTP requests and holding resources of the available pool by sticking to it.

  1. Reference Forgery 

Hulk forges its referer through obfuscation. It will either point to some major pre-listed websites or the host itself.

  1. No-cache

Though Hulk already generates unique requests, it also enables no-cache for the target HTTP server. By doing so, it can bring a server – that hides behind a dedicated caching solution – down faster.

  1. Unique URL Transforms

Creating various unique URLs for every request helps HULK bypass the caching tools and other filtering/optimization mechanisms. The tool, most of the time, receives a response OK (200) due to this feature.

HULK’s Technicalities - A Quick Glimpse

Observation 1

If you will go through the Hulk.py script, you will see randomint function being used several times. For example, check out the request creation below:

request = urllib2.Request(url + param_joiner + buildblock(random.randint(3,10)) + '=' + buildblock(random.randint(3,10)))
        request.add_header('User-Agent', random.choice(headers_useragents))
        request.add_header('Cache-Control', 'no-cache')
        request.add_header('Accept-Charset', 'ISO-8859-1,utf-8;q=0.7,*;q=0.7')
        request.add_header('Referer', random.choice(headers_referers) + buildblock(random.randint(5,10)))
        request.add_header('Keep-Alive', random.randint(110,120))
        request.add_header('Connection', 'keep-alive')
        request.add_header('Host',host)

Observation 2

See this part of the script to have a look at which all user agents are utilized by HULK.

'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3'
'Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)'
'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)'
'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1'
'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1'
'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)'
'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)'
'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)'
'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)'
'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)')
'Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)'
'Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51'

Observation 3

Hulk begins the HTTP flooding attack with a typical TCP handshake. So, the SYN request is sent first, SYN ACK comes the next, and ACK thereafter. 

Once the first request bypasses the hurdles, the user agent starts sending diverse HTTP GET requests to the target URL. For this, it makes use of a randomized suffix.

screenshot1

Observation 4

The host sends out various HTTP GET requests with different/randomized suffices and receives the response as 200 (OK).

screenshot 2

Observation 5

If you see the below HULK statistics, you will be able to understand the tool is very efficient. Its efficiency is proportional to the client-side resources and number of nodes utilized to run the attack. An attack can actually last (and succeed) within 8.818 sec or less!

HULK statistics

TrafficCaptured
Packets858
Between first and last packet8.818 sec
Avg. packets/sec97.297
Avg. packets size540 bytes
Bytes463436
Avg. bytes/sec52553.381
Avg. MBit/sec0.42

Conclusion

If you are a security specialist, penetration tester, or someone responsible for taking care of an organization’s cyber network, HULK is a perfect ally for testing. It’ll surely give you a hard time, and help you strengthen your network’s security. However, if you are thinking of using the Hulk web server tool for a cybercrime or an actual attack out of curiosity, beware that the tool creator has prohibited its misuse. You will be responsible for the consequences and troubles.

FAQ

References

Subscribe for the latest news

Updated:
May 28, 2024
Learning Objectives
Subscribe for
the latest news
subscribe
Related Topics