Home » Defending against malicious bots with a zip bomb

Defending against malicious bots with a zip bomb

by Reddit » Hacking
0 comment

Thu, May 26, 2022

Malicious bots can cause a lot of damages to your websites whether it be stealing your content or scanning for vulnerabilities.

Here is how to defend against them.

This post is an excerpt from my book Black Hat Rust

A zip bomb is a specifically crafted archive abusing the compression algorithms to create a .zip or .gzip file that is small (a few kilobytes/megabytes), but once uncompressed weights many gigabytes, which will lead scrapers and crawlers to exhaust all their resources until the crash.

Here is how to create such a file:

$ dd if=/dev/zero bs=1M count=10000 | gzip > 10G.gzip
$ du -sh 10G.gzip
$ 10M 10G.gzip

Then, when a bot is detected, serve this file instead of a legitimate HTML page:

function serve_page(req, res) {
if (bot_is_detected()) {
res.set_header(“Content-Encoding”, “gzip”)
return res.send_file(“10G.gzip”);

Why GZip? Because GZip is almost universally automatically handled by existing HTTP clients. Thus just by requesting the URL, the crawler is going to automagically crash.

1 email / week to learn how to (ab)use technology for fun & profit: Programming, Hacking & Entrepreneurship.

We’re sorry but this website doesn’t work properly without JavaScript enabled. Please enable it to continue.

I hate spam even more than you do.
I’ll never share your email, and you can unsubscribe at any time.

You may also like

Leave a Comment


Cybernonstop is created to bring news and knowledge through articles to visitors.

Do not forget to subscribe.

Laest News

@2021 – All Right Reserved. Designed and Developed by PenciDesign