Prolexic warns of HULK DoS script
Malware was designed by a network security researcher as an education tool
DDoS protection specialists Prolexic Technologies has released a threat advisory on the HTTP Unbearable Load King (HULK) denial of service (DoS) script.
According to Prolexic, the script was developed by a network security researcher and shared publicly on his blog, the tool attracted widespread attention - and generated panic - throughout the digital security industry.
The script was intended to be an educational proof-of-concept, which exposed common weaknesses that could be exploited by malicious actors to bring down servers that have not been optimally configured for performance and DDoS resistance.
"What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened web server in minutes. We've tested the tool internally and it is functional," said Neal Quinn, chief operating officer at Prolexic. "Fortunately, this is not a very complex DoS tool," he added. "We were quickly able to dissect its approach and stop it dead in its tracks. It is fairly simple to stop HULK attacks and neutralise this vulnerability with the proper configuration settings and rules."
HULK, which was released on 17th May, uses randomised header and parameter values to generate a threaded GET flood attack; the randomised requests make it more difficult to distinguish attack threads from legitimate traffic, particularly for automated mitigation solutions.
HULK is designed to take advantage of out-of-the-box web server configuration vulnerabilities and spawns 500 threads that collectively stream random GET requests at its website target upon launch, bypassing caching engines to exhaust server resources, according to Prolexic.
The Prolexic Security Engineering & Response Team (PLXsert) have instituted rules to defend against and mitigate HULK attacks and issued a threat advisory to Prolexic customers last week. As a public service, full details of the HULK threat, including recommended mitigation techniques and SNORT rules, are available at www.prolexic.com/threatadvisories.
"There is a lot at stake for businesses online - whether it's a matter of money, reputation, regulatory compliance or business continuity. No one wants to be down for a second, let alone hours or days," Quinn said. "Consequently, any threat can cause panic. While many DDoS threats are very real and severe, in the case of HULK, panic is not necessary. PLXsert is happy to share our practical, effective mitigation method that can be implemented on any WAF or content switch, and transform the HULK back into Dr. Banner."