Comment by CobrastanJorji

7 months ago

Yes, servers can respond without specifying the size by using chunked encoding. And you can do the rest with a custom web server that just handles request by returning "<div>" in a loop. I have no idea if browsers are vulnerable to such a thing.

6 comments

CobrastanJorji

konata390 7 months ago

I just tested it via a small python script sending divs at a rate of ~900mb (as measured by curl) and firefox just kills the request after 1-2 gb received (~2 seconds) with an "out of memory" error, while chrome seems to only receive around 1mb/s, uses 1 cpu core 100%, and grows infinitely in memory use. I killed it after 3 mins and consuming ca. 6GB (additionally, on top of the memory it used at startup)

M95D 7 months ago

What did the bots do?

M95D 7 months ago

I would make it an invisible link from the main page (hidden behind a logo or something). Users won't click it, but bots will.

stefs 7 months ago
the problem with this is that for a tarpit, you just don't want to make it expensive for bots, you also want to make it cheap for yourself. this isn't cheap for you. a zip bomb is.
- ku1ik 6 months ago
  
  Right, so an invisible link + a zipbomb is da bomb.
  
  1 reply →