jwzFeb 7, 2024

Harassing botnets with zipbombs.

The idea is this: instead of just blocking IP addresses that hit honeypot URLs, feed them a compressed document that massively expands on their end, making them run out of memory and crash.

This is extremely...
https://jwz.org/b/ykMS

Harassing botnets with zipbombs

The idea is this: instead of just blocking IP addresses that hit honeypot URLs, feed them a compressed document that massively expands on their end, making them run out of memory and crash. This is extremely hypothetical. Maybe they won't actually crash. We can dare to dream, though. But, for laughs, I decided to try this out on Ye Olde Webbe Syte. It was tricky to figure out how to get ...

Show threadclaus
@jwz If not gzip, then maybe brotli?
Feb 7, 2024 at 10:13pmWeb
Show threadjwzFeb 7, 2024
@claus As "Accept-Encoding: br" doesn't even work on google dot com, I can only assume that this is the WebP of compression algorithms.
Show threadclausFeb 8, 2024
@jwz Huh?
Show threadclausFeb 8, 2024
@jwz Also WebP is supported in all modern browsers (unless you care about IE)
https://caniuse.com/webp
WebP image format | Can I use... Support tables for HTML5, CSS3, etc

"Can I use" provides up-to-date browser support tables for support of front-end web technologies on desktop and mobile web browsers.

Show threadclausFeb 8, 2024
@jwz I would assume that browsers have protections in place for zip bombs though, no matter which compression method is used.
Show threadThe DoctorFeb 8, 2024
@claus @jwz That might not be a reasonable assumption.
Show threadclausFeb 8, 2024
@drwho @jwz You might be right. I don't know 🤷
Show threadjwzFeb 8, 2024
@claus It is still hot garbage. https://jwz.org/b/ykEL
WebP is going great

Me on WebP twelve years ago: "Google drops another turd in the punchbowl." Everyone on WebP today: "Well this fucking sucks. What the fuck." Just days after Apple released iOS 16.6.1 to secure iPhones and iPads against a critical zero-day exploit involving ImageIO, Google has rushed out an emergency security update for Chrome users for a zero-day threat impacting the WebP image format. [...] ...

Show threadSteve PopovichFeb 8, 2024
@claus @jwz well, you did say "modern" browsers, so that lets IE out, right there.
Show threadclausFeb 8, 2024
@sspopovich I'll try to choose my words more carefully next time 😉 😆
Show threadjwzFeb 8, 2024
@claus
# wget -qO/tmp/a --header 'Accept-Encoding: br' https colon //www.google dot com/ ; file /tmp/a
/tmp/a: HTML document text, ASCII text, with very long lines (11449)
Show threadclausFeb 8, 2024
@jwz Not sure what you're trying to tell me. Are you worried about the "very long lines"? Google dot com serves minified content, which results in very long lines.
Show threadjwzFeb 8, 2024
@claus It is serving plain text, not br. If you change br to gzip, 'file' says "gzip compressed data".
Show threadclausFeb 8, 2024
@jwz Oh gotcha. I don't know what Google does there, but i tried some other random site and it returned brotli compressed data (file simply says "data")
Show threadclausFeb 8, 2024
@jwz
Show threadjwzFeb 8, 2024
@claus Yup I also get br for that one.