http://m14hackersworld.blogspot.com
DownLoad: HULK / Web Server DoS Tool
Barry Shteiman, a principal security engineer at Imperva, has released a Python-based web server denial-of-service (DOS) tool called HULK (Http Unbearable Load King).
HULK is a web server denial of service tool written for research purposes. It is designed to generate volumes of unique and obfuscated traffic at a webserver, bypassing caching engines and therefore hitting the server's direct resource pool.
Some Techniques
Results
Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host.
In the pictures below you can see the tool in action, where it first ( #1 ) executed against a URL, and then the tool starts generating a load of unique requests and sending over the target server ( host of the URL ), and second ( #2 ) we can see that the server at some point starts failing to respond since it has exhausted its resource pool.
Note the “safe” word is meant to kill the process after all threads got a 500 error, since its easier to control in a lab, it is optional.
Download
File : hulk.py ( zip file )
The tool is meant for educational purposes only, and should not be used for malicious activity of any kind.
DownLoad: HULK / Web Server DoS Tool
Barry Shteiman, a principal security engineer at Imperva, has released a Python-based web server denial-of-service (DOS) tool called HULK (Http Unbearable Load King).
HULK is a web server denial of service tool written for research purposes. It is designed to generate volumes of unique and obfuscated traffic at a webserver, bypassing caching engines and therefore hitting the server's direct resource pool.
Some Techniques
- Obfuscation of Source Client – this is done by using a list of known User Agents, and for every request that is constructed, the User Agent is a random value out of the known list
- Reference Forgery – the referer that points at the request is obfuscated and points into either the host itself or some major prelisted websites.
- Stickiness – using some standard Http command to try and ask the server to maintain open connections by using Keep-Alive with variable time window
- no-cache – this is a given, but by asking the HTTP server for no-cache , a server that is not behind a dedicated caching service will present a unique page.
- Unique Transformation of URL – to eliminate caching and other optimization tools, I crafted custom parameter names and values and they are randomized and attached to each request, rendering it to be Unique, causing the server to process the response on each event.
Results
Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host.
In the pictures below you can see the tool in action, where it first ( #1 ) executed against a URL, and then the tool starts generating a load of unique requests and sending over the target server ( host of the URL ), and second ( #2 ) we can see that the server at some point starts failing to respond since it has exhausted its resource pool.
Note the “safe” word is meant to kill the process after all threads got a 500 error, since its easier to control in a lab, it is optional.
Download
File : hulk.py ( zip file )
The tool is meant for educational purposes only, and should not be used for malicious activity of any kind.
EmoticonEmoticon