0

There is a tool called HULK (Http Unbearable Load King). It's a web server denial of service tool. It is designed to generate volumes of unique and obfuscated traffic at a webserver, bypassing caching engines and therefore hitting the server's direct resource pool.

I've been testing this on Nginx and it put down Nginx in seconds. Below is the logs snippet of my testing.

192.168.1.10 - - [17/May/2013:16:37:35 +0800] "GET /?UDY=CLZFTJP HTTP/1.1" 200 199265 "http://www.usatoday.com/search/results?q=BZWVGQ" "Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51"
192.168.1.10 - - [17/May/2013:16:37:35 +0800] "GET /?YGNBNQK=BEPPWCSMKJ HTTP/1.1" 200 199272 "http://www.google.com/?q=PJCSSRQLT" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
192.168.1.10 - - [17/May/2013:16:37:35 +0800] "GET /?XETRTJ=LFV HTTP/1.1" 200 199264 "http://www.usatoday.com/search/results?q=QHDEEM" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
192.168.1.10 - - [17/May/2013:16:37:35 +0800] "GET /?JYJHZB=ZHIB HTTP/1.1" 200 199265 "http://www.mywebsite.com/UPHIBL" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1"
192.168.1.10 - - [17/May/2013:16:37:35 +0800] "GET /?VHXLKAIB=NCU HTTP/1.1" 200 199266 "http://www.mywebsite.com/KIPQLJH" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
192.168.1.10 - - [17/May/2013:16:37:36 +0800] "GET /?IGCQSNG=BNKSM HTTP/1.1" 200 199267 "http://engadget.search.aol.com/search?q=POZWPGSTV" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
192.168.1.10 - - [17/May/2013:16:37:36 +0800] "GET /?HUL=BMZAQXXXF HTTP/1.1" 200 199267 "http://www.usatoday.com/search/results?q=KUQNRADOUP" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
192.168.1.10 - - [17/May/2013:16:37:36 +0800] "GET /?ZWOWYGEZ=PBEAVXZF HTTP/1.1" 200 199271 "http://engadget.search.aol.com/search?q=FXWHN" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"

My test server (CentOS 6.4 64bit) is configured with Varnish but as the tool said, it bypassed the caching of Varnish.

I can install fail2ban but how should I define regex for this kind of request? Or is there a way to configure Nginx to protect from this kind of attack? Maybe rewrite rule or something?

chr1x2
  • 39
  • 1
  • 5
  • There's a regex in the answer to your very similar question from yesterday http://serverfault.com/questions/508180/nginx-redirect-get-pattern What are you looking for different in this question? – Danack May 17 '13 at 11:30
  • 1
    ModSecurity has rules which will block this tool. I should know, I'm responsible for them. I'll post a full answer later. – Michael Hampton May 17 '13 at 15:04
  • @Danack It's actually related. I was searching on the net what kind of tool was used to hit my server that hard and HULK was very similar to the requests on this thread http://serverfault.com/questions/508180/nginx-redirect-get-pattern. I tried different regex pattern but nothing worked. So I'm thinking if there is more easy way and/or better approach to protect Nginx from HULK tool. – chr1x2 May 18 '13 at 03:38
  • @MichaelHampton I'll await for that. tyia. – chr1x2 May 18 '13 at 03:42
  • I would suggest Cloudflare – Joseph Szymborski May 26 '13 at 04:41
  • @MichaelHampton, would you like to answer this question? Your answer should be useful for someone. – tpml7 Dec 14 '14 at 04:02

1 Answers1

0

I just bumped on this thread and noticed that it have 2 down votes. Anyway, I just want to post what I did to block HULK requests.

In /etc/nginx/conf.d/default.conf (or similar). I added the following inside the server block:

if ($args ~* "(.{1,})=(.{1,})" ){
        rewrite ^/$ /444_rewrite?;
}
location  /444_rewrite {
        return 444;
}

What it does? Since the site is using friendly URL and none of the site URL starts with ? and =, I can redirect all those weird GET requests to 444. The argument (.{1,})=(.{1,}) tells Nginx to redirect all GET requests that have any characters with = between them.

chr1x2
  • 39
  • 1
  • 5