Mitigating HULK Attacks with DoS Protection
HULK Attack Summary
Example Scenario - A PAN-OS device administrator believes he or she is experiencing a DoS attack against one of their webservers. Upon further analysis, it is determined that HULK is being used to leverage this attack through the generation of varied and uniquely crafted HTTP requests.
What is HULK? - HULK or "Http Unbearable Load King" is a Python script developed by Barry Shteiman. HULK was designed to repeatedly generate numerous uniquely crafted HTTP requests which will create load on a webserver, thereby exhausting webserver resources. For more details please visit the creator's site http://www.sectorix.com/2012/05/17/hulk-web-server-dos-tool/.
DoS Protection Policy to defend against HULK attacks
The information below provides an example wherein an administrator can leverage a DoS Protection Policy to defend against HULK attacks.
Caveat - Given the inherent intelligence within HULK simply applying a SYN Cookie based mitigation strategy may not be fully effective. More granular protections are generally more effective.
Prerequisite - It is important that the administrator has a baseline understanding of how many TCP SYN requests per second are typical to the destination host(s) for which protection from a HULK attack is required. These metrics are crucial when creating an effective DoS Protection Profile with appropriate thresholds for Alarm Rate, Activate Rate, and Max Rate.
DoS Protection Policy vs Zone Protection Profile
A typical HULK attack may attempt to launch a SYN flood against a target host in a single or distributed manner. In addition to a large number of legitimate HTTP requests, HULK will also generate a large number of uniquely crafted malicious HTTP requests.
For this reason, it is important for an administrator to leverage the more granular protections afforded to them through a DoS Protection Policy as opposed to a broader Zone Protection Profile which, while effective, the latter may not provide fully sufficient coverage for attacks of this nature. Page 19 of our Tech Note  "Understanding DoS Protection" provides detailed steps for creating the ideal DoS Protection Policy to mitigate a HULK attack.
Example DoS Protection Policy
1. Create a New DoS Protection Profile - Objects > Security Profiles > DoS Protection
2. Modify the newly created DoS Protection Profile and apply the appropriate parameters.
The below rate and duration values are arbitrary and applied as an example only. As mentioned previously, proper due diligence should be exercised by an administrator to responsibly determine values which are appropriate to his/her environment.
- Name - <TBD by admin>
- Type = Classified
- Flood Protection
- Enable "SYN Flood"
- Action "Random Early Drop" aka "RED"
- Alarm Rate - rate at which DoS Alarm is activated
- Activate Rate - rate at which DoS Response is activated
- Max Rate - maximum rate at which packets are allowed, when exceeded new packets are dropped
- Block Duration - length of time offending packets will be denied
3. Create a corresponding DoS Protection Policy rule - Policies > DoS Protection.
- Monitor traffic from external source zone Untrust to internal destination zone DMZ
- Specify a destination webserver of DMZ host 192.168.12.2 (the host we want to protect)
- Service = HTTP (TCP/80)
- Action = Protect
- Type = Classified
- Profile = HULK-SYN-RED
- Address = destination-ip-only
In the example above, we have created a DoS Policy rule with the above criteria to mitigate against HULK attacks. Again, note that we are using a "Classified" DoS Protection Profile within this rule.
It is important to note this distinction as Classified profiles allow us to enforce different session rate limits for different classes of end hosts. Classified profile functionality also allows us to achieve a more granular level of detection and protection as desired in this particular use case.
Additionally, our destination server is monitored individually for incoming traffic to prevent it from going above the configured rate limits from any number of source IPs.
*(See page 19, section 3 "Classified Profiles", item 2 from Resource  Understanding DoS Protection)
HULK Protection Resources