Prolexic Issues Defense Strategy Against HULK Attacks

Prolexic Technologies, a distributed denial of service (DDoS) protection service, has released a threat advisory on the HTTP unbearable load king (HULK) denial of service (DoS) script that has many security administrators panicking. 

HULK, release on May 17, was intended as an educational proof-of-concept, according to Prolexic. It works by using randomized header and parameter values to generate a flood of threaded GET commands. The company said that “the randomized requests make it more difficult to distinguish attack threads from legitimate traffic, particularly for automated mitigation solutions. “

Making its job still easier is the fact that HULK exploits “out-of-the-box Web server configuration vulnerabilities and spawns 500 threads that collectively stream random GET requests at its Web site target upon launch, bypassing caching engines to exhaust server resources.“

“What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened Web server in minutes. We’ve tested the tool internally and it is functional,” said Neal Quinn, chief operating officer at Prolexic. [emphasis mine]

“Fortunately, this is not a very complex DoS tool,” Quinn points out. “We were quickly able to dissect its approach and stop it dead in its tracks. It is fairly simple to stop HULK attacks and neutralize this vulnerability with the proper configuration settings and rules.”

The Prolexic Security Engineering & Response Team (PLXsert) has released a set of rules to defend against and mitigate HULK attacks. The team has made its recommendations public here. The report is free but registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 06/01/2012