Defending against malicious bots with a zip bomb

Malicious bots can cause a lot of damages to your websites whether it be stealing your content or scanning for vulnerabilities.

Here is how to defend against them.

This post is an excerpt from my course Black Hat Rust

A zip bomb is a specifically crafted archive abusing the compression algorithms to create a .zip or .gzip file that is small (a few kilobytes/megabytes), but once uncompressed weights many gigabytes, which will lead scrapers and crawlers to exhaust all their resources until the crash.

Here is how to create such a file:

$ dd if=/dev/zero bs=1M count=10000 | gzip > 10G.gzip
$ du -sh 10G.gzip
$ 10M     10G.gzip

Then, when a bot is detected, serve this file instead of a legitimate HTML page:

function serve_page(req, res) {
    if (bot_is_detected()) {
        res.set_header("Content-Encoding", "gzip")
        return res.send_file("10G.gzip");
    }
}

Why GZip? Because GZip is almost universally automatically handled by existing HTTP clients. Thus just by requesting the URL, the crawler is going to automagically crash.

1 email / week to learn how to (ab)use technology for fun & profit: Programming, Hacking & Entrepreneurship.
I hate spam even more than you do. I'll never share your email, and you can unsubscribe at any time.

Tags: hacking, programming, tutorial

Want to learn Rust, Cryptography and Security? Get my book Black Hat Rust!