
The Most Clever 'Zip Bomb' Ever Made Explodes a 46MB File to 4.5 Petabytes - kiyanwang
https://www.vice.com/en_us/article/597vzx/the-most-clever-zip-bomb-ever-made-explodes-a-46mb-file-to-45-petabytes
======
ineedasername
Are there documented examples of these things out in the wild, in viruses etc?
Just wondering what the actual threat profile is.

~~~
AndrewStephens
I used to work on commercially available proxies for scanning email and web
traffic. A large amount of time was spent unpacking compressed content so that
someone couldn't smuggle in naughty pictures by hiding them in a zip file, for
example.

Zip bombs were designed to DOS companies using such products by wasting disk
space (or just CPU time) while they were unpacking and scanning the contents.

The mitigation is easy though. We kept track of the compression ratio as we
were unpacking the archives and tossed out anything where it got too large. No
legitimate content compresses 1000:1.

~~~
cr0sh
> Zip bombs were designed to DOS companies...

Maybe today - but back in the day, Zip bombs were done as pranks on users of
BBSs; upload one named something intriguing, and the hapless user would
download it and unzip it to their tiny (then) hard drive, and a file that was
supposed to 4 MB blows up into several hundred MB to gigs, filling their drive
if they weren't paying attention.

> The mitigation is easy though. We kept track of the compression ratio as we
> were unpacking the archives and tossed out anything where it got too large.
> No legitimate content compresses 1000:1

Interesting and neat solution!

------
salawat
Ouch.

Though this begs the question: Would you rather: 4.5 Petabytes or 9
Petanibbles?

