la eterna aŭtuno interne

HULK DoS tool ported to Go

I just ported HULK DoS tool to Go language. Go source code a little shorter due to simplify the thread flow control — goroutines and channels provide a compact and expressive code, as the whole net/http package.

In the process of porting was found that keep-alive in the Python version is not supported. This is noted in "HULK vs. THOR - Application DoS Smackdown"" and confirmed in discussions at Stackoverflow — so1, so2, so3. Seems like need to use alternative to urllib2. In the go-version of net/http ther are not problems with keep-alive and if the server supports persistent connections and returns a Connection: keep-alive, then the request is repeated in an already created client.

Also in the "HULK vs. THOR" noted about strictly defined order of the request headers in urllib2, which is used to create the rule for ModSecurity. Go-version is no exception, as the map type used to define Header (net/http/header.go) in Go has an undefined order of keys also as in Python dictionaries. Therefore GoHULK easily blocked by the same rule as described in the article but with a different order of header fields:

SecRule REQUEST_HEADERS_NAMES ".*" "id:'11',chain,phase:1,t:none,log,drop,msg:'Request Header Ordering Alert: Potential Attack Tool - GoHULK DoS.',setvar:'tx.header_order2=%{tx.header_order2}, %{matched_var}'"
SecRule TX:HEADER_ORDER2 "@streq , Host, User-Agent, Accept-Charset, Cache-Control, Connection, Keep-Alive, Referer, Accept-Encoding""

Sources: http://github.com/grafov/hulk (for reference I placed original hulk.py in the repository).

Sample syntax:

$ GOMAXPROCS=4 HULKMAXPROCS=4096 hulk -site http://example.com/example.php 2>/tmp/errlog

To interrupt execution use <kbd>Ctl</kbd>+<kbd>C</kbd>.

Resume. HULK is a DoS toy, easily blocked if need and I not understand why so much noise around this utility. But Python and Go code may be useful for learning purposes and it's my point of view to this thing. Though you may slow down badly configured webserver or site with this toy (I highly load Drupal7 + <a href=http://drupal.org/project/boost>boost cache</a> on dedicated server as boost under hulk recreate caches for each new unique GET-param and filled up cache directory with bunch of useless files), so use it wisely.

Comments powered by Disqus
  • Shares:

Share