Hulk Dos Tool Ported to Go

August 2012 · 2 minute read

I just ported HULK DoS tool to Go language. Go source code a little shorter due to simplify the thread flow control — goroutines and channels provide a compact and expressive code, as the whole net/http package.

In the process of porting was found that keep-alive in the Python version is not supported. This is noted in "HULK vs. THOR - Application DoS Smackdown"" and confirmed in discussions at Stackoverflow — so1, so2, so3. Seems like it need use alternative for urllib2. In the golang version of net/http there is not such problem with keep-alive and if the server supports persistent connections and returns a Connection: keep-alive, then the request is repeated in an already created client.

Also in the "HULK vs. THOR" noted about strictly defined order of the request headers in urllib2, which is used to create the rule for ModSecurity. Golang package net/http uses sorting for headers by their names. So Golang version also writes headers in strictly defined order. Therefore GoHULK easily blocked by the same rule as described in the article but with a different order of header fields:

SecRule REQUEST_HEADERS_NAMES ".*" "id:'11',chain,phase:1,t:none,log,drop,msg:'Request Header Ordering Alert: Potential Attack Tool - GoHULK DoS.',setvar:'tx.header_order2=%{tx.header_order2}, %{matched_var}'"
SecRule TX:HEADER_ORDER2 "@streq , Host, User-Agent, Accept-Charset, Cache-Control, Connection, Keep-Alive, Referer, Accept-Encoding""

Sources: (for reference I placed original in the repository).

Sample syntax:

$ GOMAXPROCS=4 HULKMAXPROCS=4096 hulk -site 2>/tmp/errlog

To interrupt execution use Ctl+C.

Resume. HULK is a DoS toy, easily blocked if need and I not understand why so much noise around this utility. But Python and Go code may be useful for learning purposes and it's my point of view to this thing. Though you may slow down badly configured webserver or site with this toy (I overload Drupal7 + boost cache on dedicated server as boost under hulk recreate caches for each new unique GET-param and filled up cache directory with bunch of useless files), so use it wisely.

Note: original was written by Barry Shteiman. I'm not related to development of the original utility. I just placed the code for a reference in my repo when I've ported Barry's tool from Python to Go.

Update: it seems like utility still used by other people and either included into BlackArch Linux distro. So I've updated the code a bit.