Comment by masklinn

8 years ago

> EDIT: In fact a 100 GiB version of such a payload compresses down do ~160 KiB on the wire. (No, I won't be sharing it as I'm pretty sure that such reverse-hacking is legally not much different than serving up malware, especially since black-hat crawlers are more likely than not running on compromised devices.)

http://www.aerasec.de/security/advisories/decompression-bomb... has a triple-gziped 100GB file down to 6k, the double-gzipped version is 230k.

I'm trying on 1TB, but it turns out to take some time.

7 comments

masklinn

Reply
mirimir  8 years ago

> ... I'm pretty sure that such reverse-hacking is legally not much different than serving up malware, especially since black-hat crawlers are more likely than not running on compromised devices.

Sure. But gzip bombs don't do substantial (if any) permanent damage. At most, they'd crash the system. And indeed, that might attract the attention of owners, who might then discover that their devices had been compromised.

colanderman  8 years ago

You only get two gzips, not three :) (transfer and content codings)

Unless you're serving up XML which is itself zipped, such as an Open Office document. But most clients won't be looking for that.

Filligree  8 years ago

One useful trick is that, for gzip, d(z(x+y)) = d(z(x) + z(y)).

So you don't need to compress the entire terabyte.

  • masklinn  8 years ago

    I'd expect that to provide a lower compression, though it may not matter given the additional followup gzips.

    The compression finally finished after 3h (on an old MBP), "dd if=/dev/zero bs=1m count=1m | gzip | gzip | gzip" yields a bit under 10k (10082 bytes), and adding a 4th gzip yields a bit under 4k (4004 bytes). The 5th gzip starts increasing the size of the archive.

    • Filligree  8 years ago

      It does, though I once used that trick to create a file containing more "Hello, World" lines than there are atoms in the universe. By, hmm, quite a large factor. It probably isn't a serious concern.

      It still fit on a floppy disk. :)

  • colanderman  8 years ago

    That's true for the content stream but not gzip files themselves, which do have a minimal header.

    • Filligree  8 years ago

      Which gunzip will overlook / handle correctly, so concatenating the compressed files does work.