Comment by suid
7 months ago
Good question. The "ultimate zip bomb" looks something like https://github.com/iamtraction/ZOD - this produces the infamous "42.zip" file, which is about 42KiB, but expands to 3.99 PiB (!).
There's literally no machine on Earth today that can deal with that (as a single file, I mean).
> There's literally no machine on Earth today that can deal with that (as a single file, I mean).
Oh? Certainly not in RAM, but 4 PiB is about 125x 36TiB drives (or 188x 24TiB drives). (You can go bigger if you want to shell out tens of thousands per 100TB SSD, at which point you "only" need 45 of those drives.)
These are numbers such that a purpose-built server with enough SAS expanders could easily fit that within a single rack, for less than $100k (based on the list price of an Exos X24 before even considering any bulk discounts).
I think you can rent a server with about 4.5 PiB from OVH - as a standard product offering, not even a special request. It costs a lot, obviously.
I would hope if you request a 4.5 PiB allocation somebody somewhere tries to call you to ask if you didnt accidentally put a couple extra zeroes lol
That's far from the ultimate zip bomb.
42.zip has five layers. But you can make a zip file that has an infinite number of layers. See https://research.swtch.com/zip or https://alf.nu/ZipQuine
Do must unzip programs work recursively by default?
No, at least not the ones I am aware of. iirc these kinds of attacks usually targeted content scanners (primarily antivirus). And an AV program would of course have to recursively de compress everything