Hackers do not find a new way to access your servers every day. Zip bombing is one of the simplest but most effective ways to do this.
The frequency of cyber attacks is increasing every day. Developing cybersecurity measures push threat actors to find new ways. This is natural in today’s world where data is more valuable than gold because every information is now in the virtual environment and there is nothing that black hat hackers will not do to obtain it.
What is a Zip bomb?
To explain zip bombing we must first explain what is a ZIP file. A ZIP file is a file archive that stores multiple files as one. It is a lossless compression format, which means that the data is compressed without losing any quality. ZIP files are often used to reduce the size of files for easier storage or transmission.
A zip bomb on the other hand is a malicious ZIP file that is designed to overwhelm a computer system with data. Zip bombs are typically created by recursively nesting ZIP files within each other. Zip bombing works by exploiting the way that zip files are compressed. Zip files use a compression algorithm called Deflate, which is very efficient at compressing data. However, Deflate also has a weakness: it can be used to create files that are much larger when decompressed than they are when compressed.
To create a zip bomb, an attacker will create a ZIP file containing a large number of identical files. These files can be anything, such as empty text files or images. The attacker will then compress the ZIP file multiple times, each time using a different compression level.
This process can create a ZIP file that is very small when compressed, but very large when decompressed. For example, a zip bomb file that is only a few kilobytes in size can expand to hundreds of gigabytes or even terabytes when decompressed.
Recursive vs non-recursive Zip bombs
Recursive zip bombs work by nesting zip files within each other. For example, a recursive zip bomb might contain a zip file containing another zip file, and so on. When the victim opens the zip bomb, the computer will try to extract all of the nested zip files. This can quickly overload the computer’s resources and cause it to crash.
Non-recursive zip bombs do not use nested zip files. Instead, they rely on a technique called overlapping files. Overlapping files are files that contain the same data, but at different locations in the zip file. When the computer tries to extract a non-recursive zip bomb, it will extract the same data multiple times. This can also overload the computer’s resources and cause it to crash.
Non-recursive zip bombs are more effective because they can be much smaller than recursive zip bombs. For example, a non-recursive zip bomb that can expand to 1TB can be as small as 10MB. This is because non-recursive zip bombs do not need to contain multiple copies of the same data.
How zip bombs are used in cyberattacks?
Zip bombs are often used in denial-of-service attacks. A denial-of-service attack is a type of attack that aims to make a computer system unavailable to its intended users. In a denial-of-service attack, the attacker will flood the computer system with traffic or data, causing it to crash or become overwhelmed.
Zip bombs can also be used to spread malware or to steal data. For example, an attacker might send a zip bomb to a company in an attempt to disable its antivirus software. Once the antivirus software is disabled, the attacker can then send other malware to the company’s computers.
Then, when there is not enough space for data storage, happens especially in a company that does not do data archiving, the systems become unstable and slow down at first and then completely crash. A zip bombing like this can take a very long time to fix manually if backups are not taken in short periods.
A stable system is a hacker’s dream and it is much easier to get hold of personal/company data after such an attack.
How do you protect yourself against Zip bombing?
There are several steps you can take to protect your server against a zip bomb attack:
- Limit the size of uploaded files
- Check the uncompressed size of uploaded files before extracting them
- Extract zip files to a temporary directory
- Use a web application firewall (WAF)
Limit the size of uploaded files
Most web servers have a built-in limit on the size of uploaded files. This limit should be set to a value that is large enough to accommodate legitimate file uploads, but small enough to prevent zip bombs from being uploaded.
To limit the size of uploaded files in Apache, you can use the following directive:
This will limit the size of uploaded files to 1 MB. You can adjust the limit to meet your needs.
Check the uncompressed size of uploaded files before extracting them
A zip bomb can be compressed to a very small size, but it will expand to a much larger size when it is extracted. You can use a zip library to check the uncompressed size of a zip file before extracting it. If the uncompressed size is greater than a certain threshold, the file should be rejected.
For example, in Python, you can use the following code:
total_size = 0
with zipfile.ZipFile(zip_file, ‘r’) as zip_ref:
for info in zip_ref.infolist():
total_size += info.file_size
if check_uncompressed_size(‘my_file.zip’) > 10000000:
# The zip file is too large, reject it
# The zip file is safe to extract
Extract zip files to a temporary directory
This will prevent the zip bomb from filling up your server’s hard drive. You can use the following code on Python to create a temporary directory and extract a zip file to it:
temp_dir = tempfile.mkdtemp()
with zipfile.ZipFile(zip_file, ‘r’) as zip_ref:
# Do something with the extracted files
Use a web application firewall (WAF)
A WAF can be configured to detect and block zip bomb attacks. To set up a web application firewall (WAF), you will need to:
- Choose a WAF solution. There are many different WAF solutions available, both commercial and open source. You should choose a solution that meets your specific needs, such as the types of attacks you want to protect against, the size and complexity of your web application, and your budget. The most popular WAF solutions of 2023 are as follows:
- Deploy the WAF solution. Once you have chosen a WAF solution, you will need to deploy it in front of your web application. This may involve configuring your web server or load balancer to route traffic through the WAF
- Configure the WAF rules. Most WAF solutions come with a set of pre-configured rules that protect against common web application attacks. You can also create your own custom rules to protect against specific attacks or threats
- Monitor the WAF logs. It is important to monitor the WAF logs to identify any attacks that are being blocked or attempted. This will help you to ensure that the WAF is working properly and to identify any new threats that may emerge
Remember, any step you take to ensure the cybersecurity of you and your employees is not extra. Data is worth its weight in gold and you are a modern jeweller.
Featured image credit: rawpixel.com/Freepik.