HULK, Web Server DoS Tool

Introducing HULK (Http Unbearable Load King).1-twitter-dos-data

In my line of work, I get to see tons of different nifty hacking tools, and traffic generation tools that are meant to either break and steal information off a system, or exhaust its resource pool, rendering the service dead and putting the system under a denial of service.

For a while now, I have been playing with some of the more exotic tools, finding that their main problem is always the same… they create repeatable patterns. too easy to predict the next request that is coming, and therefor mitigate. Some, although elegant, lack the horsepower to really put a system on its knees.

For research purposes, I decided to take some of the lessons I’ve learned over time and practice what I preach.

Enforcing Python’s engines, I wrote a script that generates some nicely crafted unique Http requests, one after the other, generating a fair load on a webserver, eventually exhausting it of resources. this can be optimized much much further, but as a proof of concept and generic guidance it does its job.

As a guideline, the main concept of HULK, is to generate Unique requests for each and every request generated, thus avoiding/bypassing caching engines and effecting directly on the server’s load itself.

I have published it to Packet Storm, as we do.

Some Techniques

  • Obfuscation of Source Client – this is done by using a list of known User Agents, and for every request that is constructed, the User Agent is a random value out of the known list
  • Reference Forgery – the referer that points at the request is obfuscated and points into either the host itself or some major prelisted websites.
  • Stickiness – using some standard Http command to try and ask the server to maintain open connections by using Keep-Alive with variable time window
  • no-cache – this is a given, but by asking the HTTP server for no-cache , a server that is not behind a dedicated caching service will present a unique page.
  • Unique Transformation of URL – to eliminate caching and other optimization tools, I crafted custom parameter names and values and they are randomized and attached to each request, rendering it to be Unique, causing the server to process the response on each event.

Results

Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host.

In the pictures below you can see the tool in action, where it first ( #1 ) executed against a URL, and then the tool starts generating a load of unique requests and sending over the target server ( host of the URL ), and second ( #2 ) we can see that the server at some point starts failing to respond since it has exhausted its resource pool.

 

Note the “safe” word is meant to kill the process after all threads got a 500 error, since its easier to control in a lab, it is optional.

Download

File : hulk.py ( via Packetstorm )

The tool is meant for educational purposes only, and should not be used for malicious activity of any kind.

 

[ Edit 25nov2012 : changed download link to packetstorm ]

29 Comments
  1. Barry Shteiman

    got questions on how to enable https, ..

    just change line 149 in hulk.py to

    m = re.search(‘https?\://([^/]*)/?.*’, url)

  2. UnderPL

    couldn’t believe a simple dos can put down my website. great tool !

  3. HULK DDoS Tool Smash Web Server, Server Fall Down | CYBERSEECURE

    […] to prevent server defenses from recognizing a pattern and filtering the attack traffic. The HULK DDoS tool is the work of Barry Shteiman, a security pro who developed it out of frustration with the obvious […]

  4. Episode 674 – NMap 6, No Supreme Court, Under 13 FB, Justice Breach, Hulk Smash Server, and Kaspersky Frustrated | InfoSec Daily

    […] designed to prevent server defenses from recognizing a pattern and filtering the attack traffic. The HULK DDoS tool is the work of Barry Shteiman, a security pro who developed it out of frustration with the obvious […]

  5. IT Vulnerability & ToolsWatch | HULK (Http Unbearable Load King) v1.0 Released

    […] Download HULK (Http Unbearable Load King) v1.0 Released […]

  6. HULK DDoS Tool Smash Web Server, Server Fall Down | ujjwalblog.com

    […] to prevent server defenses from recognizing a pattern and filtering the attack traffic. The HULK DDoS tool is the work of Barry Shteiman, a security pro who developed it out of frustration with the obvious […]

  7. How to become a Hacktivist In 10 Easy Steps | XFLIX

    […] HULK […]

  8. Unix R Us » DoS in less than 30 seconds

    […] a few requests, high keep-alive intervals and some garbage was all it took.The script can be found here This ofc can be mitigated using firewall limits, mod_sec, mode_evasive, etc, an example can be […]

  9. Some Hulk Afterthoughts

    […] was great to see how much attention the Hulk tool got over a short period of time, and even considered a malware by some folks who didnt read […]

  10. Don

    Hey thank you for such a wonderful tool.
    I really need it but cant use it because i get invalid syntax error.
    any idea what to do?

    1. Barry Shteiman

      what is your syntax error ?

  11. Don

    its on line 72

  12. A3

    Very efficace.

    Thank good work.

  13. Vasilis Mavroudis

    Thanks, it sounds nice I will give it a try…should be good for pen testing..

  14. TechBuster | Get the latest news on the latest trending topics on TECHNOLOGY.

    […] More details can be found here. […]

  15. Tigo

    Hey Barry
    Nice tool thanks for sharing it with us
    I have tested this tool on my website, And i just can’t believe it that it took it down in let than 30Seconds which is i’m not happy about my website, But i guess the good news is, it didn’t hold it overload for very long “I didn’t use the safe option”, after 2 Minutes of attacking, My website went up fine and starts serving again, But i was wondering if my website once it recognize the attacker by itself it block it or have you made a limited time of attacking ?
    Thanks again for sharing with us
    Tigo

    1. Barry Shteiman

      since i wrote it for pen testing purposes, it was designed with throttle down in mind.

  16. Tigo

    Thanks for your quick reply
    How about Canceling the attack in the middle of attacking the Server?
    Do you only need to Close the window, Because i tried to Cancel it using CTRL+S | ” Windows OS “but it didn’t work.

  17. Dom

    Hi, I was unable to download the zip file because it has ben removed from mediafire, is there another link? Rgds

    1. Barry Shteiman

      link updated to packetstorm download.

  18. HULK DDoS Tool Smash Web Server, Server Fall Down | UjjwalBlog

    […] to prevent server defenses from recognizing a pattern and filtering the attack traffic. The HULK DDoS tool is the work of Barry Shteiman, a security pro who developed it out of frustration with the obvious […]

  19. joey

    Hey the DL link isn’t working anymore can you upload a new link

    1. Barry Shteiman

      done. link now points at packetstorm, sorry for the inconvenience.

    2. Barry Shteiman

      done.

  20. JoJo

    Do I run this from a cmd window or can I run it from a linux terminal? If so, how? I’m disappointed with slowloris..your tool makes me think for some reason that it will put slowloris in its grave…lol..

    1. archmonk

      You can run it from linux terminal and cmd window !

  21. bo858585

    Hello.
    Maybe this program need proxy (anonymous, elite ip):

    
      proxy  = urllib2.ProxyHandler({'https': 'ip:port'})
      opener = urllib2.build_opener(proxy)
      urllib2.install_opener(opener)
    

    (Put this code to HTTPThread or httpcall function)

    And also try block need to be inside while cycle because when program can not make httpcall (server is off) and throws some Exception it will work next and not stop (sorry for bad endlish =) ):

    
                            while flag<2:
                        try:
                                      code=httpcall(url)
                        except Exception, e: 
                                pass
    

    Сorrect me if I’m wrong. Thank you!

  22. HULK DDoS Tool Smash Web Server, Server Fall Down | Threatpost

    […] to prevent server defenses from recognizing a pattern and filtering the attack traffic. The HULK DDoS tool is the work of Barry Shteiman, a security pro who developed it out of frustration with the […]

  23. Tran

    How can i stop this DDoS tool by Snort rules. I try, but Snort can’t detect this attack tool. Any solution please!

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*