Defending a website with Zip bombs

631 点作者 ridgewell将近 8 年前

37 条评论

I would think Transfer-Encoding would be a better choice than Content-Encoding. It's processed at a lower level of the stack and must be decoded – Content-Encoding is generally only decoded if the client is specifically interested in whatever's inside the payload. (Note that you don't have to specify the large Content-Length in this case as it is implied by the transfer coding.)Also worth trying is an XML bomb [1], though that's higher up the stack.Of course you can combine all three in one payload (since it's more likely that lower levels of the stack implement streaming processing): gzip an XML bomb followed by a gigabyte of space characters, then gzip that followed by a gigabyte of NULs, then serve it up as application/xml with both Content-Encoding and Transfer-Encoding: gzip.(Actually now that I think of it, even though a terabyte of NULs compresses to 1 GiB [2], I bet that file is itself highly compressible, or could be made to be if it's handcrafted. You could probably serve that up easily with a few MiB file using the above technique.)EDIT: In fact a 100 GiB version of such a payload compresses down do ~160 KiB on the wire. (No, I won't be sharing it as I'm pretty sure that such reverse-hacking is legally not much different than serving up malware, especially since black-hat crawlers are more likely than not running on compromised devices.)[1] <a href="https://en.wikipedia.org/wiki/Billion_laughs" rel="nofollow">https://en.wikipedia.org/wiki/Billion_laughs</a>[2] <a href="https://superuser.com/questions/139253/what-is-the-maximum-compression-ratio-of-gzip/579290" rel="nofollow">https://superuser.com/questions/139253/what-is-the-maximum-c...</a>

评论 #14709027 未加载

评论 #14708095 未加载

评论 #14709212 未加载

评论 #14710861 未加载

geek_at将近 8 年前

How come when I posted this (my blog post) here I only got 2 points? <a href="https://news.ycombinator.com/item?id=14704462" rel="nofollow">https://news.ycombinator.com/item?id=14704462</a> :D

评论 #14708632 未加载

评论 #14708406 未加载

评论 #14709028 未加载

评论 #14709253 未加载

评论 #14708430 未加载

评论 #14709148 未加载

评论 #14709776 未加载

评论 #14708375 未加载

Scryptonite将近 8 年前

Reminds me of a time I once wrote a script in Node to send an endless stream of bytes at a slow & steady pace to bots that were scanning for vulnerable endpoints. It would cause them to hang, preventing them from continuing on to their next scanning job, some remaining connected for as long as weeks.I presume the ones that gave out sooner were manually stopped by whoever maintains them or they hit some sort of memory limit. Good times.

评论 #14708535 未加载

评论 #14709114 未加载

ruytlm将近 8 年前

Interesting and related re attacks on a Tor hidden service: <a href="http://www.hackerfactor.com/blog/index.php?/archives/762-Attacked-Over-Tor.html" rel="nofollow">http://www.hackerfactor.com/blog/index.php?/archives/762-Att...</a>And the follow up: <a href="http://www.hackerfactor.com/blog/index.php?/archives/763-The-Continuing-Tor-Attack.html" rel="nofollow">http://www.hackerfactor.com/blog/index.php?/archives/763-The...</a>

评论 #14711271 未加载

评论 #14708477 未加载

compguy将近 8 年前

Wait a minute... He is doing the exact same thing as the former RaaS (ransomware as a service) operator Jeiphoos (he operated Encryptor RaaS). It's know that Jeiphoos is from Austria. Exactly one year after the shutdown of the service, someone from Austria is publishing the exactly same thing an Austrian ransomware operator were doing a year ago.

评论 #14708865 未加载

avaer将近 8 年前

Does anyone know if this kind of white hat stuff has been tested by law?Because it seems in the realm of possibility that if a large botnet hits you and your responses crash a bunch of computers you could do serious time for trying it. I'm hoping there's precedent against this...

评论 #14708044 未加载

评论 #14708428 未加载

评论 #14708029 未加载

评论 #14708040 未加载

matt_wulfeck将近 8 年前

This is why web crawlers are built with upper boundaries on everything!Nobody malicious brings down crawlers. It's just unexpected things you find out on the internet.

评论 #14709206 未加载

eyuelt将近 8 年前

The article says that 42.zip compresses 4.5 petabytes down to 42 bytes. It should say 42 kilobytes.I don't see a way to comment on the article itself, but hopefully the author reads this.

评论 #14708329 未加载

评论 #14708351 未加载

TekMol将近 8 年前

I don't think this "Defends" your website. If anything, it draws attention to it.Might also be used for some kind of reflection attack. Want to kill some service that let's users provide a url (for an avatar image or something) - point it to your zip bomber.

评论 #14709251 未加载

jacquesm将近 8 年前

A friend of mine has a very useful little service that tracks attempts to breach servers from all over the world:<a href="https://www.blockedservers.com/" rel="nofollow">https://www.blockedservers.com/</a>It's a lot more effective to kill the connection rather than to start sending data if you're faced with a large number of attempts.

评论 #14709850 未加载

cypherpunks01将近 8 年前

This is like the soft equivalent of leaving a USBKill device in your backpack, to punish anyone who successfully steals it and tries to comb through your data.

评论 #14708956 未加载

bberenberg将近 8 年前

I think the natural next step is to make this into a Wordpress plugin.

hirsin将近 8 年前

This would be an entertaining way of dealing with MITM agents as well, over HTTP. As long as the client knows not to open the request, you could trade them back and forth with the MITM spy wasting tons of overhead.

评论 #14709129 未加载

petre将近 8 年前

Another method is wasting attackers' time by sending out a character per second or so. It works so well for spam, that OpenBSD includes such a spamd honeypot.

评论 #14708445 未加载

评论 #14708367 未加载

banku_brougham将近 8 年前

We need some legal advice in this thread.What if the compressed file is plausibly valid content? How could intent be malicious if a request is served with actual content?

评论 #14708195 未加载

ajarmst将近 8 年前

Reminds me a bit of Upside-Down-Ternet: <a href="http://www.ex-parrot.com/pete/upside-down-ternet.html" rel="nofollow">http://www.ex-parrot.com/pete/upside-down-ternet.html</a>

em3rgent0rdr将近 8 年前

Defending by throwing things back at the attacker, instead of simply locking your door.

评论 #14708084 未加载

评论 #14708081 未加载

评论 #14708949 未加载

Theizestooke将近 8 年前

A great way... to provoke a war with people running botnets.

评论 #14709013 未加载

ianai将近 8 年前

This could also be seen as a bug on the browser side. I'd also be interested in the browser results for the petabyte version.I wonder if there's room to do this with other protocols? Ultimately we want to crash whatever tool the scriptkiddy uses.

评论 #14710017 未加载

ioquatix将近 8 年前

About a month ago one of my websites was being scraped. They were grabbing JSON data from a mapping system.I replaced it with a GZIP bomb. It was very satisfying to watch the requests start slowing down, and eventually stop.

DamonHD将近 8 年前

Interesting!That also crossed with another thought about pre-compressing (real!) content so that Apache can serve it gzipped entirely statically with sendfile() rather than using mod_deflate on the fly, so unless I've misunderstood I think that bot defences can be served entirely statically to minimise CPU demand. I don't mind a non-checked-in gzip -v9 file of a few MB sitting there waiting...<a href="http://www.earth.org.uk/note-on-site-technicals.html" rel="nofollow">http://www.earth.org.uk/note-on-site-technicals.html</a>

merricksb将近 8 年前

Similar topic a couple of months ago:<a href="https://news.ycombinator.com/item?id=14280084" rel="nofollow">https://news.ycombinator.com/item?id=14280084</a>

dveeden2将近 8 年前

Directly serving /dev/zero or /dev/urandom also gives interesting results. (Be aware of bandwidth costs)

评论 #14711400 未加载

Pitarou将近 8 年前

Wow, you killed Tails!I tried visiting the payload site with Tails OS (a Linux distro for privacy minded) and the whole OS is frozen.

jscheel将近 8 年前

Both ZIP and GZIP file formats store the uncompressed filesize in their headers. You could stream and check for these headers to determine if the a zip bomb is being delivered. Obviously something script-kiddies aren't going to do, but the scripts they use can be improved and redistributed fairly easily.

评论 #14711170 未加载

iopuy将近 8 年前

Was there a reduction in ip's that Fail2ban would have picked up but instead were treated with the zip bomb?

brian-armstrong将近 8 年前

Do browsers protect against media served with Content- or Transfer-Encoding like this? If you use something that lets you embed images, what's to stop you from crashing the browser of anyone who happens to visit the page your "image" is on?

评论 #14708838 未加载

评论 #14709662 未加载

wooptoo将近 8 年前

A similar `slow bomb` could be created for attempted ssh connections to a host using a sshrc script. For example clients which do not present a key, just keep them connected and feed them garbage from time to time. Or rickroll them.

oceanbreeze83将近 8 年前

doesn't this incur large bandwidth data charges for the defender?

评论 #14708122 未加载

ilurkedhere将近 8 年前

Wouldn't all but the most naive scanners use time-out settings, maximum lengths on bytes read etc?

评论 #14713346 未加载

评论 #14711489 未加载

glenscott1将近 8 年前

What are good strategies for protecting your website against ZIP bomb file uploads?

justusthane将近 8 年前

Ironically, it looks like the site has been DOSd by HN.

a1exus将近 8 年前

you better have unlimited bandwidth to try 10G))

评论 #14711597 未加载

late2part将近 8 年前

brilliant

vacri将近 8 年前

Interesting, on FF54 the test link pegs a CPU but the memory doesn't rise. Eventually it stops and CPU returns to normal. But then I did a 'view source', and the memory use rose until the browser got oomkilled (20GB free ram + swap)

评论 #14709633 未加载

aluhut将近 8 年前

* Firefox: Memory rises up to 6-7gig, then just loads endlessly. Tab closable.

futang44将近 8 年前

Just tried it using piedpiper's middle-out algorithm and seeing astonishing results. It's so simple! D2F.1 = D2F.2, D2F.3 = D2F.4