HULK flood, is a DDoS attack named by its creators “HTTP Unbearable Load King” is similar to an HTTP flood and is designed to overwhelm web servers’ resources by continuously requesting single or multiple URL’s from many source attacking machines.
HULK flood differs from most available DDoS attack tools which produced predictable repeated patterns that could easily be mitigated. The principle behind the HULK flood is that a unique pattern is generated at each and every request, with the intention of increasing the load on the servers as well as evading any intrusion detection and prevention systems.
Some HULK Techniques
- Obfuscation of Source Client – this is done by using a list of known User Agents, and for every request that is constructed, the User Agent is a random value out of the known list
- Reference Forgery – the referrer that points at the request is obfuscated and points into either the host itself or some major prelisted websites.
- Stickiness – using some standard HTTP command to try and ask the server to maintain open connections by using Keep-Alive with variable time window
- no-cache – this is a given, but by asking the HTTP server for no-cache , a server that is not behind a dedicated caching service will present a unique page.
- Unique Transformation of URL – to eliminate caching and other optimization tools, crafting custom parameter names and values and they are randomized and attached to each request, rendering it to be unique, enable the request to bypass many CDN systems.
When the servers’ limits of concurrent connections are reached, the server can no longer respond to legitimate requests from other users.
It worth to mention that HULK attack demands many resources for client side as well, therefore a single node will not be able to run high attack rates.
Technical Analysis
List of User Agent used by HULK
'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3' 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)' 'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)' 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1' 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1' 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)' 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)' 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)' 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)' 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)') 'Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)' 'Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51'
As seen in Image 1, Hulk, like any other HTTP Flood, starts with a standard TCP handshake, (Packets 44, 49, 50 – SYN, SYN ACK, ACK). Then the user agent sends an HTTP GET request to a URL with randomized suffix (GET /?PLQZYRZW=GXVXTSW).
“Image 1 – TCP FLOW”
Image 2 shows a user agent sends multiple HTTP GET requests to an URL with a randomized suffix and receives from the target HTTP responses HTTP/1.1 200 OK.
“Image 2 – HTTP Requests and Responds”
As shown in Image 3, the capture analyzed is around 8.8 seconds long and the average number of packets per second is around 97, with a rate of around 0.42 Mbps (actual attack rates could be significantly higher).
“Image 3 – HULK STATISTICS”
Analysis of HULK attack in Wireshark – Filters:
Using the ‘http’ filter, you can filter out anything except HTTP requests.
“http.request.method == GET” or “http.request.method == POST” – Will show HTTP GETs or POSTs respectively. You can also apply filters of any other HTTP Methods (e.g. PUT, DELETE).
If you see a single source IP sending many such requests, he could very well be an attacker.
Download Example PCAP of HULK Attack:
*Note: IP’s have been randomized to ensure privacy.
Download