← Back to context

Comment by cynicalsecurity

7 months ago

This topic comes up from time to time and I'm surprised no one yet mentioned the usual fearmongering rhetoric of zip bombs being potentially illegal.

I'm not a lawyer, but I'm yet to see a real life court case of a bot owner suing a company or an individual for responding to his malicious request with a zip bomb. The usual spiel goes like this: responding to his malicious request with a malicious response makes you a cybercriminal and allows him (the real cybercriminal) to sue you. Again, except of cheap talk I've never heard of a single court case like this. But I can easily imagine them trying to blackmail someone with such cheap threats.

I cannot imagine a big company like Microsoft or Apple using zip bombs, but I fail to see why zip bombs would be considered bad in any way. Anyone with an experience of dealing with malicious bots knows the frustration and the amount of time and money they steal from businesses or individuals.

3 comments

cynicalsecurity

Reply
os2warpman  7 months ago

Anyone can sue anyone else for any reason.

This is what trips me up:

>On my server, I've added a middleware that checks if the current request is malicious or not.

There's a lot of trust placed in:

>if (ipIsBlackListed() || isMalicious()) {

Can someone assigned a previously blacklisted IP or someone who uses a tool to archive the website that mimics a bot be served malware? Is the middleware good enough or "good enough so far"?

Close enough to 100% of my internet traffic flows through a VPN. I have been blacklisted by various services upon connecting to a VPN or switching servers on multiple occasions.

  • immibis  7 months ago

    Yes.

    A user has to manually unpack a zip bomb, though. They have to open the file and see "uncompressed size: 999999999999999999999999999" and still try to uncompress it, at which point it's their fault when it fills up their drive and fails. So I don't think there's any ethical dilemma there.

    • wing-_-nuts  7 months ago

      For some reason I was under the impression that browsers had the ability to transparently decompress certain archive formats? I may be thinking of less and gzip though