Dropping Zip Bombs on Vulnerability Scanners

If you’ve ever looked at the server logs of a computer that lives full-time on the Internet, you know it’s a rough world out there. You’ll see hundreds of attempts per day to break in to your one random little box. Are you going to take that sitting down? Christian Haschek didn’t.

Instead of simply banning IPs or closing off services, [Christian] decided to hit ’em where it hurts: in the RAM. Now, whenever a bot hits his server looking for a poorly configured WordPress install, he serves them 10 GB of zeroes, compressed down into 10 MB by gzip:

dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip

The classic trick uses zip multiple times on itself, which lets you compress arbitrarily large files into just a few kB. [Christian] tried this with gzip, and discovered that it didn’t automatically recurse, so he’s taking a small bandwidth hit for the team. If you know how to get more data packed smaller using gzip, leave a note in the comments.

Nobody really knows if this works on the bad guys’ servers, but [Christian] said that they stopped hitting him after downloading a couple payloads. If you want to test out what it does to your system, click this link. If you don’t run a server, but phishing e-mails get you hot under the collar, check out [Robbie Gallagher]’s talk on phishing the phishers from last year’s Schmoocon for cathartic tales of revenge.

116 thoughts on “Dropping Zip Bombs on Vulnerability Scanners

        1. Interesting…my workstation didn’t seem to mind it much. Chrome just hogged a bit more RAM than normal, but it didn’t crash the tab. In-fact the 4K YouTube video I was watching in another tab didn’t even stutter. Unsure if that’s just macOS being good about allocating Chrome as much RAM as it wants, the fact that my machine has a redicuous amount of RAM, or a combination, of both. 2012 Mac Pro 12-core (the last of the cheese grater ones), 4x SSDs, 128GB RAM, 4x Quadros, macOS Sierra.

          1. I’m very lazy, so I do most of my work using neural networks. Well, they don’t like being called neural networks (they demand to be called “people”, “family”, “friends” and other ridiculous names), but hey, it works. Just call them, tell them instructions and wait for the result/answer. These NNs are great at finding information, picking out the important part, compressing it and sending over phone using text-to-speech. But what slightly concerns me is their ability to self-replicate…

          1. One guy on COPS did exactly that, drug dealer flagged down a patrol car to report that another drug dealer had attacked and robbed him. Took his money and his drugs!

          1. @jaap To be fair it all depends on the quality of the code in the decoder, The “good” is well written with lots and lots and lots of error checking and hard coded limits. The “bad” programs crash a lot, usually a direct result of quick and dirty code with insufficient error checking and is a sure sign of one security hole (but usually more, bad code gets copied and pasted a lot). The “ugly” way to tell the difference between the two is either by partially populating the headers and fuzzing from /dev/random, or reading and understanding the full standard and using hand crafted data to try and detect missing error checks and generate crashes.

            If you are using an API to access a encoder/decoder written by someone else (or ideally a group of people), who have spent 10,000+ hours working in that area, you are probably safe. But if you choose to implement your own from scratch having read the standard, depending on your skill set, that may have been a bad idea :)

        1. I seem to remember someone doing this for hotlinking images back in the day. They served a 10kb 65,535 x 65,535 png for every request – but it was simply a transparent picture. Downloads instantly, then crashes the browser when it tries to render that.

    1. very poor analogy, but I hope it illustrates my point : It’s like leaving a malfunctioning gun in our own home. If some dumbass steals it and then manages to shoot himself because the gun has the safety mechanism intentionally disabled, who’s fault is it, the owners or the attackers?

      If you steal shit, don’t be too surprised if it blows up in your face. I fully support this cause, these script kiddies who “hack” various sites are just bottom-tier criminals, same as “taggers”…

        1. Very much depends on locality

          I was concerned with CFAA and overzealous prosecutors but someone mentioned it’s more like delivering an exceedingly large web page than truly hacking the server. I think there’s a strong case there but I wouldn’t want to pay for a lawyers new speed boat to set the precedent.

          That said, these are hackers (probably) based out of the US allegedly up to no good, it’s like robbing a drug dealer (not that I support robbing people), are they really going to go to the cops ? “Yes officer, I was trying to hack their system and they bogged mine down without my permission!”

          1. “There were cases when a drug dealer or drug addict called the police because someone stole his stash…”

            Indeed. We had something similar here in the UK either end of last year or beginning of this one. I don’t remember the exact details as it was just another of those ‘shake head, mutter idiot’ things.

            Likewise, I vaguely remember something about a prosecution for the use of ‘countermeasures’ but that could simply be my memory playing tricks on me.

          2. As far as I know, there aren’t any states in the US where boobytraps are legal. That is, if you leave something you know (or should know) is dangerous lying around and it harms someone–even an intruder–you can be held liable in civil court. The successful cases I’ve seen have been either literal boobytraps (eg the ol’ tripwire shotgun) or horrendous code violations (eg a garage that’s impossible to get out of without a key).

            I suspect you could get away with a malfunctioning gun, as long as it wasn’t literally rigged to blow, or otherwise deliberately rendered useless for anything but maiming the unsuspecting.

      1. It’s random in the sense that you have no idea who your target is, and servers in the sense that it’s a computer sending and receiving lots of requests. This may not meet the technical definition of server but most peoole seem to have understood what I meant.

        1. >It’s random in the sense that you have no idea who your target is

          My target is the attacker that is trying to break into my server. I’m not even attacking them, simply giving them exactly what they requested, just not what they expected.

          > servers in the sense that it’s a computer sending and receiving lots of requests.

          This describes my cellphone. If someone is scanning the ports on my cellphone looking for an unsecured WordPress server, they are a target.

    2. It’s not Random servers, it’s those attempting to break in, if someone was given permission that’s different then someone trying to force their way in. As far as I am aware there are no laws for or against this.

    3. Those servers are requesting data from your site. You’re giving it to them. Just a lot of it :) How can that be illegal?

      The people that are responsible for the crashing servers are the botnet operators.

      Also, hopefully it will give the infected server owners a heads-up to fix it. They clearly need one.

      1. By the way to clarify my last comment: Most of these probes come from other hacked servers. You’re not crashing the botnet owners’ PCs, but random hosting providers.

        Nevertheless, I think they are getting what they deserve. The IRC network I’m on has been hit with a lot of bot spam recently and I’ve been emailing the abuse addresses of the affected IP ranges and I’ve been appalled with the results.

        About 50% of the times I get no reply (and see spam again from the same IP a few days later in several cases).
        About 30% of the other times I get nonsense replies (“We don’t care, yhe customer is responsible to keep their wordpress up to date”).
        Only about 20% they promise to do something (mostly western European hosters, in particular Germany).

        Of course I understand that a hosting provider doesn’t manage their customers’ wordpress configs but really, they should take action when their server is highjacked and becomes a nuisance to the entire internet. Crashing it will definitely cause them to take action.

        1. Working in the hosting industry, most times it is not the server that is hijacked but rather the clients files and user (which can and should be mitigated by a security professional and the user, on the users dime). We lose customers by taking drastic actions (such as suspensions), but is less costly than the server going down. We sent notifications to clients, but we also advise that the activity is against TOS and they need to clean it up. Very seldom is a system actually compromised fully that requires our intervention.

    4. This isn’t a DOS attack… DOS would imply that are attacking them actively (which I personally am fine with that as well). This is more like a booby trap. It’s a passive attack that only triggers if you try to download the zip file and decompress it and it is placed on the server where normal users wouldn’t go etc…

        1. I prefer the simpler days. DOS = disk operating system. The lazy nerds of the world are running out of acronyms so have to re-use existing ones.

          I hope their heads explode.

    5. I would say so. Why is it legal for them to knock on your door repeatedly at 3 am or to peer into your windows to see if your door is unlocked? Turnabout is fair play imho. Plus it is non-destructive at the end of the day.

    6. No, it’s like you crack my safe, take out the big bar of gold and drop it on your feet because it is very heavy. :-) And then perhaps notice it’s not gold, but painted tungsten. But nobody asked you to take it out anyway. I also did not offer it for sale to you as gold. So you get what you deserve.

  1. Has anyone done any sort of analysis of this? My quick and dirty attempt with wget simply retrieved the smaller 10MB file and my perlfu isn’t quite strong enough to whip up something with LWP off the top of my head.

    1. He’s not just serving up a gzip file; the webserver is setting the headers so that it looks like an html file that’s been compressed, that needs to be decompressed on the receive side before being passed on to the caller.

      1. Or specifically the client sends a page request:
        Accept-Encoding: gzip, deflate, br

        And the server replies with a valid file rather than a page:
        Content-Encoding: gzip

        It is funny, as it will catch a few rookies with sloppy programming.

        Spider traps are acceptable on sites that don´t fear desisting by googlebot.

    1. Here is my results for a 1GB file and 50 iterations :
      Original Size: 1073741824, Deflate: 1055629, Compression: 99.901687% Removed
      Original Size: 1073741824, Gzip: 1055647, Compression: 99.901685% Removed
      zopfli -v –i50 1Go 1181,48s user 1,91s system 99% cpu 19:43,44 total

      1. Not possible. Zip isn’t a recognised HTTP delivery compression. gzip is a single file stream, not an archive of a file(s), so there is no “inside” thus no extractable file to extract to extract to extract,…

          1. You realize that’s a figurative meaning, right? That’s the whole point of literal vs figurative. Having the meaning doesn’t make it literal. Literal is when the meaning in use matches the original meaning for which the word was created.

            There are a lot of people grasping at straws to avoid being incorrect on this article.

  2. I doubt it makes any difference. The kiddies just look for positive results. It is like not answering your phone if you don’t recognise the CID. After a year of doing it, you find it makes no difference in the amount of spam calls you get. We pushed that game up a notch and now let the phone ring 10 times to waste time before playing an announce only message. We get a chuckle out of it, but it makes no difference in the volume of calls. They are not looking at any stats but “hits”.

    1. This is more like rigging your phone so that if it gets too many spam calls from that number, the next call plays a loud noise. Someone with an in depth knowledge of codecs can probably figure out the bit sequence that decodes to the loudest possible signal.

    2. The idea is that it makes the attacker code crash out and stop probing *anyone* until the attacker notices (maybe hours or days later) and restarts it. If you’re really lucky it retries the same address range, or from just after the last logged address… and hits the boobytrap again.

    3. Try answering, pressing whatever key the bot says will transfer you to a human, then playing Mary Had a Little Lamb on the keypad until they hang up on you. They curse at you, and all you hear is beep bop boop bop beep beep beep.

  3. I used to have a zip file like that, and used to the fill all free space on a Windows drive with zeros. Until I got around to writing a windows application that opens a file and writes zero’s until the drive is full. Filling free drive space with zeros is very helpful when making compressed images of whole drives (boot from Linux USB drive, then just cat /dev/sda, pipe through pigs, a multi-threaded version of gzip, and stream the resulting file over the network to a server using nc. a simple zcat piped to /dev/sda will write it back to the drive.)

    1. I’m guessing that somebody should make a program that imitates an SSH server, then takes very long time to respond – and then streams a really, really long banner (like, lots of banner text, and no compression supported), oh, and no logins and passwords would get accepted, but would be carefully logged instead (as well as keys, I think). I guess I could do it some day, I used some Python SSH server-imitating code with paramiko, and I think I based my code off somebody’s fake SSH server made for exactly this purpose. I wish there were enough time to get to doing that one day, of course =)

      1. I have a friend whose final graduation work was a mail server (or the modification of a popular mail server) that detected spammers when they connected to deliver spam (by reverse ip checks, blacklists, etc) and started a…n…s….w…e…r…i…n…g… S…l… o….w…l…l….y….

        Usually after a while they stopped trying to deliver spam for his server.

    2. google fail2ban. In default settings – 5 attempts and they are out for 10 minutes for that IP.
      Can actually scan other logs and ban by any actions that can fit a regular expression.

    3. iptables -m recent –syn –dport 22 -j drop + port knocking – so that you’ll always get in (can also be implemented with iptables rules using -m recent). Works extremely well. You’ll get only the first attempt and when sshd kicks them out and they can’t immediately make another connection, they usually f*ck off. For the most determined/dumb ones just run a simple perl script that harvests the security logs and adds the IPs to ipset when there are more than x attempts. Don’t forget to add the port knocking before all the rejecting rules. ;)

      1. freman@servah ~ $ sudo ipset list ssh_perm | wc -l
        10708

        I have a similar list for smtp, and a temporary version for smtp (auth fails go perm, spam goes temporary – which is 6 hours)

    4. “More importantly what do we do about the ssh login attemps littering out logs?”

      Depends on what you want to achieve.

      Automated abuse reports are almost certainly a waste of time and might even get you into trouble with your hosting provider. Providing *they* actually care about abuse reports :)

      A few years ago I sent an abuse report to ADSL24 – manually and after much provocation – and cc’d their upstream provider Entanet.

      It came as quite a shock to learn that they’d forwarded it to my isp as a malicious complaint. And when that backfired on them, rather childishly started harassing me on the thinkbroadband forums.

      It wasn’t so much of a shock a few months later to learn they were hand-in-glove with the likes of Andrew Crossley.

    5. I have a fake ssh server on port 22
      http://nic.ath.cx/fakesshd.tar.gz
      which lets the scanners in after a few password guessing and then logs their commands.
      some captures are here
      http://uglyduck.ath.cx/honeypot/

      For my web server I use apache’s re_write module and serve them random garbage
      when they scan for vulnerabilities. My approach is to make the served text files to
      compress badly by using random characters (because apache compresses them
      on the fly) so they suffer a download time penalty. They need to parse the files
      too on their end and all this slows them down a lot.

    6. i run ssh on a non-standard port, and put the pair of lines in my .ssh/config so i don’t have to remember it:

      Host my.host.com
      Port 1234

      The disadvantage is when I connect from a new device I have to remember it again.

      Security through obscurity won’t do any good at all against an advanced persistent threat but stops your typical “worm” sort of attack cold.

  4. “Nobody really knows if this works on the bad guys’ servers” I thought the “bad guys” mostly used other people’s computers. So all that’s really going to happen is some poor schmuck who’s already wondering why his machine is so slow is going to get nuked.

    OK, maybe some script kiddie will fall for this and get the message. Or maybe he’ll get pissed and escalate things. My experience is that the script kiddies have short attention spans. If they can’t get in right away, they get bored and move on soon without me having to do anything.

    And with the real “bad guys”, I’ll probably never know that they’ve hit me until it’s way too late.

    1. If you get infected it’s your fault that it’s being used for criminal activity. Keep your machine up to date, pay for your software, use quality AV. Pay attention to your PC performance and hire an IT Professional if it’s acting up. All stupid simple stuff that doesn’t even cover the most obvious “know how to spot a phishing attempt, etc”

      So the poor schmuck can use their machine coming to a complete failure as a warning sign. At the very least we need to take them offline if they are infected to stop the spread of the disease. If you are infected you don’t go out to a public park, you stay home and get well.

      Script Kiddies will lose lots of potential progress if they don’t notice for a few hours or days, and if enough people start proactively defending their equipment it will discourage business and individuals in a meaningful way. I’m going to advise my clients to use this and other similar techniques and am already implementing it on my and my friends equipment.

      1. “If you get infected it’s your fault that it’s being used for criminal activity.”

        Complete and utter nonsense.

        Fortunately, the law take a very different view.

    2. Possibly, but that means that maybe the “poor shmuck” will actually do something about his computer being infected, once it actually affects him instead of just screwing other people.

  5. You can also keep some sparse files around for things that will serve them out while compressing on the fly (tar, dump/restore, dd, and so on know how to deal with them correctly but most programs taking input as a stream (gzip for instance, or a webserver passing a file through zlib on its way out) don’t and will compress and send the whole shebang and so at the receiving end they get an unweildy large file while it can be stored in one block on your actual FS.

  6. They are also good for taking out a man in the middle attackers, if your packets are getting snooped you can mess with any protocol that allows compression to choke any system that doesn’t know which packets have harmful payloads that should be dropped without being decompressed.

  7. I remember in ’93 I had a friend who was compressing .tar files down from 10mb to a couple of k, then would keep doing this until he had a 10 MB file again. Then wash rinse and repeat. A single file of his would decompress to around 10 GB. He would say if someone saw his file on a server, obviously, they didn’t know what they had. And if they did know what they had, they were just as evil as he was. Computers in ’93 just didn’t have the storage space to handle 10 GB, unless it was a corporate or a government server…;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;Bruce would shut you down if you “thought” you knew what you were doing.

  8. Best toy ever is NC or Net Cat, Make it sit on a port of your choice then when someone tries to connect to that port start feeding an endless loop of data to them with a ZIP header.. File on their end gets bigger and bigger if they try to download it or if they are in an SSH or terminal screen they get a nice repetitive message from you.

    I wounder if it would be easier to just alter the header and footer to create a monster file or cause whatever archive application is doing the decompression to just continue to fill the file with zero’s.

  9. I’d live to be able to implement things like this but I also lack the knowledge of where to even start.

    Setting up a server is relatively easy but securing it takes a bit more effort.

    I’d consider my self a bit more computer literate than the average joe but computers really haven’t been dumbed down enough yet for them to become an appliance that anybody can safely use.

  10. Gzip unfortunately can’t get higher than a 1032:1 compression ratio. There’s a 258 byte maximum passage that the huffman coding could get down to 1 bit each for distance and length. The new less-standard brotli standard can do 16MB passages so you could in theory get that 10MB file to expand to something like 64TB.

    1. heh.

      Nice, but wrong audience I think.

      Script-kiddies are like fish – and almost as intelligent in some cases – you need to use the right bait. Make it look like a ‘home movie’ (nudge, nudge. wink, wink).

      Give it a ‘smartphone’ style name and stick it in a directory named “Private” or something similar.

  11. Meh, I don’t get web/email traffic from outside this country to my little home server so firewall blocks most Russian, Ukrainian, Chinese, African, etc. IP blocks + certain large hosters like Amazon, OVH, Hetzner, Digital Ocean, etc. + few large ISPs. I used to send abuse reports to ISPs but usually got no response. And yeah, my router ACL has about 900 deny lines but I very rarely see any crap on my logs… :D

    Several years ago I saw script kiddies trying to run a Perl script via XSS: it connected to an IRC server with a random nick, joined to a certain channel, and then just idled on the channel, waiting for commands from master with a certain nick. Well, I joined to the channel with a random nick and waited. There was hundreds of servers all around the world running the script, but couldn’t report them to anyone because IPs were hidden and hostnames were partially. After few hours I saw the master getting disconnected (thanks, 3G!) and when he/she got connected back to the IRC server, his/her nick was taken… by me. I received butthurt private messages. Then he/she saw me giving a command to start UDP flooding the IRC server for one million seconds, and obviously then I got disconnected from the IRC server and couldn’t reconnect. There… no more crap on my logs.

    1. That sort of ‘proactive’ response wouldn’t work now, modern malware is too sophisticated. It’s also against the law in both Europe and the US as well.

  12. compression, JS loops, and memory corruption are the three possibilities for fighting back..

    Once someone make a DPI firewall that would ‘attack back’ by using a vulnerability scanner on attacking IP addresses..

    1. Such things did exist at one point and probably still do, but it’s no longer the ‘grey area’ it once was. The use of such tools is against the law in Europe, probably the US as well.

      1. I would remedy ddos and spamming using a fast-flux DNS. Basically round-robin DNS with a lot of machines. Maybe even double-flux. But never the actual IP. Remote code execution, XSS, and SQLi I’d remedy with sandboxing and memory and request scanning from outside the sandbox.

  13. I remember an leaked Ultra compressed windows 7 iso down to 36mb, when self deflating (unknown Russian archiver) it took at least 3 hrs to remake an 3.6gb iso ????

    Good job to annoy the intruders, i love it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s