Mastodawn

Harassing botnets with zipbombs.

The idea is this: instead of just blocking IP addresses that hit honeypot URLs, feed them a compressed document that massively expands on their end, making them run out of memory and crash.

This is extremely...
https://jwz.org/b/ykMS

Harassing botnets with zipbombs

The idea is this: instead of just blocking IP addresses that hit honeypot URLs, feed them a compressed document that massively expands on their end, making them run out of memory and crash. This is extremely hypothetical. Maybe they won't actually crash. We can dare to dream, though. But, for laughs, I decided to try this out on Ye Olde Webbe Syte. It was tricky to figure out how to get ...

Viss Feb 7, 2024

@jwz i love this idea

claus Feb 7, 2024

@jwz If not gzip, then maybe brotli?

jwz Feb 7, 2024

@claus As "Accept-Encoding: br" doesn't even work on google dot com, I can only assume that this is the WebP of compression algorithms.

claus Feb 8, 2024

@jwz Huh?

claus Feb 8, 2024

@jwz Also WebP is supported in all modern browsers (unless you care about IE)
https://caniuse.com/webp

WebP image format | Can I use... Support tables for HTML5, CSS3, etc

"Can I use" provides up-to-date browser support tables for support of front-end web technologies on desktop and mobile web browsers.

claus Feb 8, 2024

@jwz I would assume that browsers have protections in place for zip bombs though, no matter which compression method is used.

The Doctor Feb 8, 2024

@claus @jwz That might not be a reasonable assumption.

claus Feb 8, 2024

@drwho @jwz You might be right. I don't know 🤷

jwz Feb 8, 2024

@claus It is still hot garbage. https://jwz.org/b/ykEL

WebP is going great

Me on WebP twelve years ago: "Google drops another turd in the punchbowl." Everyone on WebP today: "Well this fucking sucks. What the fuck." Just days after Apple released iOS 16.6.1 to secure iPhones and iPads against a critical zero-day exploit involving ImageIO, Google has rushed out an emergency security update for Chrome users for a zero-day threat impacting the WebP image format. [...] ...

Steve Popovich Feb 8, 2024

@claus @jwz well, you did say "modern" browsers, so that lets IE out, right there.

claus Feb 8, 2024

@sspopovich I'll try to choose my words more carefully next time 😉 😆

jwz Feb 8, 2024

@claus
# wget -qO/tmp/a --header 'Accept-Encoding: br' https colon //www.google dot com/ ; file /tmp/a
/tmp/a: HTML document text, ASCII text, with very long lines (11449)

claus Feb 8, 2024

@jwz Not sure what you're trying to tell me. Are you worried about the "very long lines"? Google dot com serves minified content, which results in very long lines.

jwz Feb 8, 2024

@claus It is serving plain text, not br. If you change br to gzip, 'file' says "gzip compressed data".

claus Feb 8, 2024

@jwz Oh gotcha. I don't know what Google does there, but i tried some other random site and it returned brotli compressed data (file simply says "data")

claus Feb 8, 2024

jwz Feb 8, 2024

@claus Yup I also get br for that one.

Weyoun 6 Feb 7, 2024

@jwz just saw this earlier today:

https://tech.lgbt/@becomethewaifu/111879788755441482

Emelia/Emi (@[email protected])

Content warning: code

LGBTQIA+ and Tech

Simon Zerafa Feb 7, 2024

I hope you can get this working. I've hidden my login page and would love this this a try 🙂

bob Feb 7, 2024

@jwz apparently you can do better with brotli (which a lot of http clients support now) https://github.com/bones-codes/bombs/blob/master/http/30GB/30GB.html.br.bz2

bombs/http/30GB/30GB.html.br.bz2 at master · bones-codes/bombs

A few files for decompression bomb testing –––. Contribute to bones-codes/bombs development by creating an account on GitHub.

GitHub

Jernej Simončič �Feb 7, 2024

@jwz I just use mod_rewrite to serve a 346-byte recursive gzip file at roughly 9 bytes/second to bots that try downloading things like backup.tar.gz (the file extracts to a copy of itself).

jwz Feb 7, 2024

@jernej__s I thought about putting mod_ratelimit into the mix but that takes up more thread slots on my server.

Jernej Simončič �Feb 7, 2024

@jwz I do it the stupid way, with a perl CGI script I wrote 15 years ago (and crontab that runs every minute and kills the scripts if more than 30 are running at the same time). But I can afford this, since my server's probably way less popular.

@jernej__s That's interesting, care to share how it works?
PS: That slow loading page you have on your website is fun

Jernej Simončič �Feb 8, 2024

@Sqaaakoi The files are here: https://eternallybored.org/misc/quine/
None of them are mine, I just collected them off various websites.

Index of /misc/quine

@jwz you get better expansion ratios using the brötli compression type (https://en.wikipedia.org/wiki/Brotli)

Brotli - Wikipedia

Louis Koziarz Feb 7, 2024

@jwz @codinghorror Black Ice in action. @GreatDismal would be proud.

Kenton Riley Feb 7, 2024

@jwz I like how you think!

Space Hobo Feb 8, 2024

@jwz Memories of when I used to shoo away script kiddies on IRC by DCC sending them "zero-day w@r3z" which turned out to just be `/dev/zero`.

HTTP 1.1/418 Teapot Feb 8, 2024

@jwz [chef-kiss.gif] I like it!

Pete Feb 8, 2024

@jwz I "used" to have a redirect that fed them some sql injection code. Apparently I crashed some Chinese govt hackers and they came after my site with a vengeance. It was pretty funny.

Your site serves me "4Ø3 -- NO ROBOTS".

jwz Feb 8, 2024

@BobLefridge Then you win the "being crap" prize today

Fair enough. Goodbye.

j5v Feb 8, 2024

@jwz (years ago) A developer asked me to test the robustness of an image server. I gave it a ~10kB TIF file that expanded to gigabytes and crashed their instance.

Cykonot Feb 8, 2024

@jwz gmail won't let me send zipbombs 😔

Michael Roberts Feb 8, 2024

@jwz I am in utter awe of this concept.

Morgan le Fay/Merlin Feb 8, 2024

@jwz zipbombs are real? I thought it was just a made up thing for one of the audio games that I play

Chris Abbey Feb 11, 2024

@evilcookies98 yes. Very real.

Morgan le Fay/Merlin Feb 11, 2024

@cabbey i’m not going to say that’s cool because those things sound very dangerous, but it is definitely interesting to know they exist

Owen H.Feb 8, 2024

Paging the team at Kasada

requiem 🦫Feb 8, 2024

@jwz Black ICE, niiiiice

chebra Feb 8, 2024

@jwz this one looks better: https://tech.lgbt/@becomethewaifu/111879788755441482

Emelia/Emi (@[email protected])

Content warning: code

LGBTQIA+ and Tech

jwz Feb 8, 2024

@chebra As I said elsewhere in the thread, I have observed that many botnets are so crap that they don't know how to process 301 redirects. Also I strongly suspect that a null-bomb would be less effective since they're likely to just interpret the first byte as EOF.

chebra Feb 8, 2024

@jwz there is no 301 in the comment I linked. Other people are reporting having observed a decrease in bot activity after deploying that, as the bots get stuck on it, while you are reporting errors in logs. It really does seem like the other solution is more proven, less hypothetical. Suspicions can be tested.

ByREV Feb 8, 2024

@jwz A solution that I have used many times. I also used variants that redirect a request to another url with large files, linkux kit, download windows, etc.!

Thierry 🅰️🕒Feb 8, 2024

@jwz great idea !

Damien Guard Feb 8, 2024

@jwz I remember these from the BBS days. They were a nightmare for Sysops as all uploaded files would be decompressed to run them through one or more anti-virus products (F-Prot, Thunderbyte etc).

They'd unpack, run out of space and crash the board. Took some extra scripting to be able to recover and clean-up.

Steinar Bang Feb 8, 2024

Sounds like a scaled up version of FAQing, which we used to do back in the good old rec.motorcycle days.

(I'm more a fan of tarpitting myself)

Nick Douma Feb 8, 2024

@jwz I know that zip is not an option, but isn't deflate the algorithm for zip? That is an option https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding#syntax

Content-Encoding - HTTP | MDN

The HTTP Content-Encoding representation header lists the encodings and the order in which they have been applied to a resource. This lets the recipient know how to decode the data in order to obtain the original content format described in the Content-Type header. Content encoding is mainly used to compress content without losing information about the original media type.

MDN Web Docs

Nick Douma Feb 8, 2024

@jwz ah, guess not https://stackoverflow.com/a/68538037

What is the advantage of GZIP vs DEFLATE compression?

I have a web site in asp.NET 4 (C#). I’m trying to find a way to better optimize bandwidth for my website. I read many articles saying that DEFLATE is faster and smaller that GZIP because GZIP (b...

Stack Overflow

E_Nonymouse Feb 9, 2024

@jwz The mind behind this reminds me very much of my old college It professor, brilliant man who loved to deconstruct things just to see if & how they could be broken.
The only thing he loved more than tech and teaching, was chain smoking & food. That ultimately was his downfall about 10-12 years after I last took his courses.