Mad Hulk does good

The Hulk is an iconic comic character created by Stan Lee and Jack Kirby, a brutal superhero who only manifests himself when his alter-ego Dr Bruce Banner loses control of his rage or is put in a position when his life is in danger. In the Marvel Comic universe, that is more often than not. Nobody wants to see Dr Banner sipping on coffee while meditating. Where’s the excitement in that?

A sort of digital manifestation of Hulk has materialised, aptly called the HTTP Unbearable Load King (the acronym being HULK), and what does it do? Well, “HULK get mad, HULK smash” is perhaps an apt explanation.

The back story to the origin of this denial of service (DoS) attack tool, which has managed to become the buzz topic of the moment, is that it was developed without malicious intent by a network security researcher.

Yes, you read right, its origins are entirely altruistic. You see, the gentleman in question produced the script to HULK as an “educational proof of concept”, a proactive exploration into exposing weaknesses on web servers, a form of penetration testing if you would.

The fascinating aspect of the story – if that wasn’t sufficiently amazing – was the fact that Barry Shteiman, a self-confessed nerd, who works for an application security company, posted the script on his website for everyone to use.

With a disclaimer of course: “The tool is meant for educational purposes only and should not be used for malicious activity of any kind.”

“What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened web server in minutes. We’ve tested the tool internally and it is functional,” commented Neal Quinn, chief operating officer at Prolexic.

“Fortunately, this is not a very complex DoS tool. We were quickly able to dissect its approach and stop it dead in its tracks. It is fairly simple to stop HULK attacks and neutralise this vulnerability with the proper configuration settings and rules.”

Commenting on his website, one enthusiastic user, going by the name of UnderPL, was amazed that a “single dos” could bring down his website. It indicates, perhaps, what it can be used for in a negative context, which can arguably be used as a criticism against Mr Shteiman’s openness and willingness to share, but this would be a mistake.

His creativity, which stems from a genuine interest in this field of study, as well as being a product of a curios disposition, of wanting to think outside the box, is an attribute to applaud, one that has led him to come up with a strategy that might have been developed by a cyber criminal in the foreseeable future and used to full effect without anyone knowing how to deal with it. Now we know the problem, we can strategise.

He therefore embodies characteristics that all IT experts need to have in being the best of the best. This isn’t Hulk gone mad, but “Dr Banner done a very good thing”. As Mr Quinn observed, in this instance, we can all relax.

“There is a lot at stake for businesses online – whether it’s a matter of money, reputation, regulatory compliance or business continuity. No one wants to be down for a second, let alone hours or days,” he expanded.

“Consequently, any threat can cause panic. While many DDoS threats are very real and severe, in the case of HULK, panic is not necessary. PLXsert is happy to share our practical, effective mitigation method that can be implemented on any WAF or content switch, and transform the HULK back into Dr Banner.”

Maybe we were wrong in the intro. Sometimes Dr Banner is much better company in some circumstances. Especially when all we want is a nice brew.

Our accreditations & Partners

  • REC Member
  • VTC - Virtual Technology Cluster
  • Bloom Nepro
  • YPO
  • Crown Commerical Service
  • Disability Confident
  • ISO 9001
  • Armed Force Covenant
  • Cyber Essentials Plus
  • ISO 27001

Thanks

Success

Thanks

Success

Thank you for signing up to the acumin alerts.

Send CV

Send us your CV and have our recruiters match you to the ideal opportunities

Do you already have an account with us?

Log in

Want to have an account with us?

Register

Want to just send us your CV?

Upload only doc, docx, odt, pdf format file.

By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.

Password reset

If you need a reminder for your password, fill out the field below

Log in

Access your account to edit your contact details, job alerts or to upload a new CV

Thank you

Success

Thank you for successfully uploading your CV.

Acumin Alerts

Success

Thanks for registering for Acumin alerts.

Acumin Alerts

Unfortunately your CV could not be uploaded

Please make sure your CV is one of the following file types: doc, docx, odt, pdf, rtf

Acumin Spam

Unfortunately your submission has been declared spam. Please try again.

Vacancy

Success

Thank you for submitting your vacancy.

Register

Create an account to register your contact details, sign up for job alerts and upload your CV

Success

Thanks for registering for Acumin alerts. To get the most out of Acumin's service why not register with us?

Upload only doc, docx, odt, pdf format file.
- Practitioner
- Commercial

I agree to the terms and conditions and to be contacted by recruiters:

I agree to receive marketing communications relevant to my job search:

I agree to receive Jobs By Email for the following professions:
- Business Continuity Management
- Counter Fraud
- Cyber Security
- Executive Management
- Governance & Compliance
- Information Security & Risk Management
- Penetration Testing & Digital Forensics
- Sales and Marketing
- Sales Engineering
- Security Management
- Technical Security
- Information/Risk Assurance
- Identity Management
- Application Security
- Security Architecture
- Dev/Sec Ops
- DV & SC Cleared Jobs
- Programme & Project Management
- CISO/CSO

Submit a Vacancy

Use the form below to submit a vacancy