The one-liner:
dd if=/dev/zero bs=1G count=10 | gzip -c > 10GB.gz
This is brilliant.
At least in germany having one of these on your system is illegal
I use Zip Bombs to Protect my Server
Submitted 5 hours ago by some_guy@lemmy.sdf.org to technology@lemmy.world
https://idiallo.com/blog/zipbomb-protection
Comments
deaddigger@lemm.ee 59 minutes ago
Bishma@discuss.tchncs.de 2 hours ago
When I was serving high volume sites (that were targeted by scrapers) I had a collection of files in CDN that contained nothing but the word “no” over and over. Scrapers who barely hit our detection thresholds saw all their requests go to the 50M version. Super aggressive scrapers got the 10G version. And the scripts that just wouldn’t stop got the 50G version.
It didn’t move the needle on budget, but hopefully it cost them.
sugar_in_your_tea@sh.itjust.works 58 minutes ago
How do you tell scrapers from regular traffic?
Bishma@discuss.tchncs.de 51 minutes ago
Most often because they don’t download any of the css of external js files from the pages they scrape. But there are a lot of other patterns you can detect once you have their traffic logs loaded in a time series database. I used an ELK stack back in the day.
cy_narrator@discuss.tchncs.de 2 hours ago
First off, be very careful with
bs=1Gas it may overload the RAM. You will want to setcountaccordinglysugar_in_your_tea@sh.itjust.works 57 minutes ago
Yup, use something sensible like 10M or so.
lemmylommy@lemmy.world 4 hours ago
Before I tell you how to create a zip bomb, I do have to warn you that you can potentially crash and destroy your own device.
LOL. Destroy your device, kill the cat, what else?
archonet@lemy.lol 4 hours ago
destroy your device by… having to reboot it. the horror! The pain! The financial loss of downtime!
Albbi@lemmy.ca 2 hours ago
It’ll email your grandmother all if your porn!
tal@lemmy.today 3 hours ago
Anyone who writes a spider that’s going to inspect all the content out there is already going to have to have dealt with this, along with about a bazillion other kinds of oddball or bad data.
catloaf@lemm.ee 1 hour ago
Competent ones, yes. Most developers aren’t competent, scraper writers even less so.
mbirth@lemmy.ml 4 hours ago
And if you want some customisation, e.g. some repeating string over and over, you can use something like this:
yes "b0M" | tr -d '\n' | head -c 10G | gzip -c > 10GB.gzyesrepeats the given string (followed by a line feed) indefinitely - originally meant to type “yes” + ENTER into prompts.trthen removes the line breaks again andheadmakes sure to only take 10GB and not have it run indefinitely.If you want to be really fancy, you can even add some HTML header and footer to some files like
headerandfooterand then run it like this:yes "b0M" | tr -d '\n' | head -c 10G | cat header - footer | gzip -c > 10GB.gzcomador@lemmy.world 4 hours ago
Funny part is I was using derivatives of this decades ago to test RAID-5/6 sequencial reads and write speeds.
UnbrokenTaco@lemm.ee 4 hours ago
Interesting. I wonder how long it takes until most bots adapt to this type of “reverse DoS”.
sugar_in_your_tea@sh.itjust.works 38 minutes ago
Then we’ll just be more clever as well. It’s an arms race after all.
Kolanaki@pawb.social 2 hours ago
How I read that code:
“If the dev’s bullshit is equal to 1 gram…”
aesthelete@lemmy.world 49 minutes ago
This reminds me of shitty FTP sites with ratio when I was on dial-up. I used to push them files full of null characters with good filenames. The modem would compress the upload as it transmitted it which allowed me to upload the junk files at several times the rate of a normal file.