Some Hulk Afterthoughts
It was great to see how much attention the Hulk tool got over a short period of time, and even considered a malware by some folks who didnt read the fine print of “educational experiment” labeling. got tons of questions and improvement suggestions while some missed the main idea behind this.. its not meant to avoid a security control, but to bypass the caching engines to hit directly on the server.
The thing that got me most interested was the growing interest from the Hacktivist community in such tools ( TONS and TONS of emails… ) , but also the fact that some researchers went to analyze for mitigation in case of someone abusing the tool for malicious usage. needless to say, I used a very easy to fingerprint ( for application aware security products ) library called urllib2 as this was designed for a lab experiment and not to break the laws of physics.
One individual has sent me a nice test that he’s done with the tool, using a virtualized grid, running the tool from 300 hosts in a rate-limited LAN ( to demonstrate bandwidth constraints of a wan link ) at a server cluster running apache, with an apache caching server in front and got the same results as I did.
I believe that the goal was achieved, an individual or a company that wishes to see how their application copes with application denial of service, can have a tool to run the check, while is also able to prevent anyone else from using it. I do believe that the only way to prepare and mitigate a threat, is knowing it exists, hope this helped.