Cyber Avengers: THOR thumps HULK attack tool
A mild-mannered security researcher at Imperva last month released the HULK, which can enable a single computer to launch a denial-of-service attack that can bring an unhardened Web server crashing down in a matter of minutes.
HULK (HTTP Unbearable Load King) generates multiple random malicious requests intended to be undetectable and avoid caching, thus overloading the target server. Barry Shteiman created a stir in security circles when he unleashed HULK, created as a proof-of-concept research tool, upon the world May 17.
He aimed it at a test Web server with 4G of RAM running Microsoft IIS7, and the server “was brought to its knees [in] less than a minute, running all requests from a single host,” he wrote in a blog posting.
The path to outsmarting advanced cyberattacks
Anonymous lures unwitting users into online campaign
But (to continue the Marvelverse theme) the folks at SpiderLabs quickly turned loose THOR (Thumping HTTP Obvious Requests), which found HULK’s weak spot and smacked it down.
THOR consists of a small set of security rules that identify unintended patterns in the HULK requests, enabling a server to shut down the malicious connection and short-circuit the attack. Prolexic Technologies also has released a threat advisory that analyzes HULK’s weaknesses and details how to disrupt the attack.
In spite of the high-profile matchup, HULK probably isn’t terribly dangerous in itself. It is significant in that it allows a serious attack to be launched from a single computer, but any single-source attack can be easily disconnected once it is identified because only a single IP address has to be blocked.
The most serious denial-of-service attacks today are distributed, either leveraging botnets to overwhelm a target with many low-volume attacks, or getting volunteers to use a publicly available tool, such as the Low Orbit Ion Canon used by groups such as Anonymous, to collaborate in an attack. Because the volume of traffic from any single address is small, they can be difficult to spot, and because many addresses are involved the attacks are more difficult to disrupt.
HULK’s genesis stemmed from Shteiman’s research on “nifty hacking tools,” which he found had a common flaw. “Their main problem is always the same.... They create repeatable patterns, [making it] too easy to predict the next request that is coming, and therefore mitigate. Some, although elegant, lack the horsepower to really put a system on its knees.”
Putting these lessons into practice, “I wrote a script that generates some nicely crafted unique HTTP requests, one after the other, generating a fair load on a Web server, eventually exhausting it of resources.” The script was released, along with the caveat that “the tool is meant for educational purposes only and should not be used for malicious activity of any kind.”
But despite the efforts to make the malicious request unpredictable, other researchers found patterns. “While the HULK tool does achieve its goal of randomizing the payloads of various headers, it is still quite easily identifiable due to the request header ordering of the requests,” which creates a unique fingerprint, the SpiderLabs researchers wrote. Once the fingerprint is identified in a request, the sever can drop it.
“As an added benefit, using the drop action seems to cause HULK to freeze,” SpiderLabs wrote. “After receiving the initial 10 requests and issuing the drop, HULK sits idle and does not send any more requests.”
Stay tuned for the next episode.