Mad Hulk does good

In Information Security ByTeam Acumin / 21st June 2012

The Hulk is an iconic comic character created by Stan Lee and Jack Kirby, a brutal superhero who only manifests himself when his alter-ego Dr Bruce Banner loses control of his rage or is put in a position when his life is in danger. In the Marvel Comic universe, that is more often than not. Nobody wants to see Dr Banner sipping on coffee while meditating. Where’s the excitement in that?

A sort of digital manifestation of Hulk has materialised, aptly called the HTTP Unbearable Load King (the acronym being HULK), and what does it do? Well, “HULK get mad, HULK smash” is perhaps an apt explanation.

The back story to the origin of this denial of service (DoS) attack tool, which has managed to become the buzz topic of the moment, is that it was developed without malicious intent by a network security researcher.

Yes, you read right, its origins are entirely altruistic. You see, the gentleman in question produced the script to HULK as an “educational proof of concept”, a proactive exploration into exposing weaknesses on web servers, a form of penetration testing if you would.

The fascinating aspect of the story – if that wasn’t sufficiently amazing – was the fact that Barry Shteiman, a self-confessed nerd, who works for an application security company, posted the script on his website for everyone to use.

With a disclaimer of course: “The tool is meant for educational purposes only and should not be used for malicious activity of any kind.”

“What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened web server in minutes. We’ve tested the tool internally and it is functional,” commented Neal Quinn, chief operating officer at Prolexic.

“Fortunately, this is not a very complex DoS tool. We were quickly able to dissect its approach and stop it dead in its tracks. It is fairly simple to stop HULK attacks and neutralise this vulnerability with the proper configuration settings and rules.”

Commenting on his website, one enthusiastic user, going by the name of UnderPL, was amazed that a “single dos” could bring down his website. It indicates, perhaps, what it can be used for in a negative context, which can arguably be used as a criticism against Mr Shteiman’s openness and willingness to share, but this would be a mistake.

His creativity, which stems from a genuine interest in this field of study, as well as being a product of a curios disposition, of wanting to think outside the box, is an attribute to applaud, one that has led him to come up with a strategy that might have been developed by a cyber criminal in the foreseeable future and used to full effect without anyone knowing how to deal with it. Now we know the problem, we can strategise.

He therefore embodies characteristics that all IT experts need to have in being the best of the best. This isn’t Hulk gone mad, but “Dr Banner done a very good thing”. As Mr Quinn observed, in this instance, we can all relax.

“There is a lot at stake for businesses online – whether it’s a matter of money, reputation, regulatory compliance or business continuity. No one wants to be down for a second, let alone hours or days,” he expanded.

“Consequently, any threat can cause panic. While many DDoS threats are very real and severe, in the case of HULK, panic is not necessary. PLXsert is happy to share our practical, effective mitigation method that can be implemented on any WAF or content switch, and transform the HULK back into Dr Banner.”

Maybe we were wrong in the intro. Sometimes Dr Banner is much better company in some circumstances. Especially when all we want is a nice brew.