1. 34

  2. 6

    You can do this with nginx using the built-in gzip_static module.

    If you want to protect /blah.txt, create the empty file blah.txt and store your zip bomb as blah.txt.gz. Make sure to add "text/plain" to gzip_types, so that nginx knows to serve the compressed version.

    1. 1

      It’s not built by default. There is really no need for it in this situation, though — you can just basically send the gz files by themselves for certain locations, maybe modifying some headers slightly to explicitly indicate the encoding.

    2. 7

      Not really a fan of this idea. This article isn’t so much about “defending” your website as it is about attacking anyone who scans it. Vulnerability scanners are often run from servers that are themselves compromised, so retaliatory attacks like this can further victimize people who have already been owned :(

      Still pretty neat on a technical level though.

      1. 11

        Many people are not even aware that they’ve been compromised… At least that helps in a way!

        1. 2

          Just because you’re being attacked from compromised server, doesn’t mean that you’re not being attacked.

        2. 3

          Opened this in firefox, memory usage shot up to 5GB used then it slowly went down before the OS asked me if I wanted to kill firefox

          1. 4

            …so just another day using a web browser? :-)

            1. 2

              It’s kind of amazing that the browser vendors haven’t considered it an attack vector. Why would anyone legitimately need to view a 4GB non-video file in a browser window?! That’s not really how WWW works.

              1. 1

                I am pretty sure WWW wasn’t designed for 10+ MB pages either.

                However, I’ve opened rather big “pages” already. Especially when they are some for of very long lists.

                Also with the rise of web apps and games that might preload data where would one draw the line? You don’t really know how certain data that for example gets downloaded via JavaScript will actually be used. A similar attack will still be working this way, at the cost of potentially preventing someone actually trying to view something very big on a very big machine.

            2. 2

              https://github.com/cjdelisle/big_download same thing except the gzip data is generated on the fly with ~no CPU usage. nodejs/express app.

              1. 2

                I’ve been running SSH on multiple servers with non-standard ports for years. Yet, I rarely, if ever, get failed login attempts. Is this really a thing?

                1. 1

                  Worked for me for a long time, but they’ve found me now :’(

                2. 1

                  This is not defense, this is very poor offense.

                  1. 1

                    Just tested brotli: 100MB becomes 1341 bytes :D Now let’s hope the skiddies can deal with compression: br