If you’ve ever looked at the server logs of a computer that lives full-time on the Internet, you know it’s a rough world out there. You’ll see hundreds of attempts per day to break in to your one random little box. Are you going to take that sitting down? Christian Haschek didn’t.
Instead of simply banning IPs or closing off services, [Christian] decided to hit ’em where it hurts: in the RAM. Now, whenever a bot hits his server looking for a poorly configured WordPress install, he serves them 10 GB of zeroes, compressed down into 10 MB by gzip:
dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip
The classic trick uses zip multiple times on itself, which lets you compress arbitrarily large files into just a few kB. [Christian] tried this with gzip, and discovered that it didn’t automatically recurse, so he’s taking a small bandwidth hit for the team. If you know how to get more data packed smaller using gzip, leave a note in the comments.
Nobody really knows if this works on the bad guys’ servers, but [Christian] said that they stopped hitting him after downloading a couple payloads. If you want to test out what it does to your system, click this link. If you don’t run a server, but phishing e-mails get you hot under the collar, check out [Robbie Gallagher]’s talk on phishing the phishers from last year’s Schmoocon for cathartic tales of revenge.
This was worth a good chuckle. ;)
“Are you going to take that sitting down?”
http://static.tvtropes.org/pmwiki/pub/images/explosive_instrumentation_3632.jpg
NO!
I’m afraid to test it out, what will it do to a mobile device?…
At most freeze up the current tab ;)
I’ve misunderstood what this does. I thought clicking the link would automatically start downloading 10GB.
I tested on a 32GB RAM PC. Within 30 seconds it created a Chrome tab that used ~11GB on RAM then Chrome crashed that tab.
Interesting…my workstation didn’t seem to mind it much. Chrome just hogged a bit more RAM than normal, but it didn’t crash the tab. In-fact the 4K YouTube video I was watching in another tab didn’t even stutter. Unsure if that’s just macOS being good about allocating Chrome as much RAM as it wants, the fact that my machine has a redicuous amount of RAM, or a combination, of both. 2012 Mac Pro 12-core (the last of the cheese grater ones), 4x SSDs, 128GB RAM, 4x Quadros, macOS Sierra.
Is that how you impress all the ladies? I’m using a quantum based device.
I’m very lazy, so I do most of my work using neural networks. Well, they don’t like being called neural networks (they demand to be called “people”, “family”, “friends” and other ridiculous names), but hey, it works. Just call them, tell them instructions and wait for the result/answer. These NNs are great at finding information, picking out the important part, compressing it and sending over phone using text-to-speech. But what slightly concerns me is their ability to self-replicate…
Aagh! This screwed up my line printer!
Is this legal? I can’t imagine it’s legal to DOS random servers all over the web. Or is there a “stand your ground” law for cyberattacks?
He’s trying to crash hackers that are trying to break in.
I know. That’s why I referenced stand your ground laws, which make it legal to shoot someone who is trying to shoot you.
Even if it was illegal, who’s going to snitch? It’s like robbing drug dealers, they can’t report the crime.
One guy on COPS did exactly that, drug dealer flagged down a patrol car to report that another drug dealer had attacked and robbed him. Took his money and his drugs!
I don’t see how it would be illegal. They’re reaching out to your server and you’re returning a response… no one forced them to make that request.
How would it be illegal? Their bots are accessing your machine and requesting a file. You’ve made them no promises about what that file contains… So I’m not even sure you could consider it malicious, let alone a DOS attack.
If you’re randomly accessing servers on the internet and blind downloading files from them… You kinda get what’s coming to you.
It’s just delivering a 10Go page, nothing really evil :D
Should have zipped some ‘F’ bombs.
Based on http://www.gzip.org/algorithm.txt , it looks like gzip should work well for a repeating message of 258 bytes. Could include a message in that. Might make a difference if the scanner has a clever memory manager to efficiently handle zeroed pages.
I wonder if one could do this using the lzw compression in gif files.
After decompression you would be limited to using at most 4GB of RAM, 16-bits for hight by 16-bits for width. And programs can read the header and choose not to open the file.
https://en.wikipedia.org/wiki/GIF#Example_GIF_file
Maybe png which has an upper limit of 32-bits for Width and 32-bits for height (16,384 exabytes) might be more interesting.
You could lie about the width and height, so the allocation of the buffer may actually succeed.
@jaap To be fair it all depends on the quality of the code in the decoder, The “good” is well written with lots and lots and lots of error checking and hard coded limits. The “bad” programs crash a lot, usually a direct result of quick and dirty code with insufficient error checking and is a sure sign of one security hole (but usually more, bad code gets copied and pasted a lot). The “ugly” way to tell the difference between the two is either by partially populating the headers and fuzzing from /dev/random, or reading and understanding the full standard and using hand crafted data to try and detect missing error checks and generate crashes.
If you are using an API to access a encoder/decoder written by someone else (or ideally a group of people), who have spent 10,000+ hours working in that area, you are probably safe. But if you choose to implement your own from scratch having read the standard, depending on your skill set, that may have been a bad idea :)
I seem to remember someone doing this for hotlinking images back in the day. They served a 10kb 65,535 x 65,535 png for every request – but it was simply a transparent picture. Downloads instantly, then crashes the browser when it tries to render that.
very poor analogy, but I hope it illustrates my point : It’s like leaving a malfunctioning gun in our own home. If some dumbass steals it and then manages to shoot himself because the gun has the safety mechanism intentionally disabled, who’s fault is it, the owners or the attackers?
If you steal shit, don’t be too surprised if it blows up in your face. I fully support this cause, these script kiddies who “hack” various sites are just bottom-tier criminals, same as “taggers”…
Unfortunately the good old USofA has many legal precedents holding the homeowner liable in the scenario you pose.
Very much depends on locality
I was concerned with CFAA and overzealous prosecutors but someone mentioned it’s more like delivering an exceedingly large web page than truly hacking the server. I think there’s a strong case there but I wouldn’t want to pay for a lawyers new speed boat to set the precedent.
That said, these are hackers (probably) based out of the US allegedly up to no good, it’s like robbing a drug dealer (not that I support robbing people), are they really going to go to the cops ? “Yes officer, I was trying to hack their system and they bogged mine down without my permission!”
There were cases when a drug dealer or drug addict called the police because someone stole his stash…
“There were cases when a drug dealer or drug addict called the police because someone stole his stash…”
Indeed. We had something similar here in the UK either end of last year or beginning of this one. I don’t remember the exact details as it was just another of those ‘shake head, mutter idiot’ things.
Likewise, I vaguely remember something about a prosecution for the use of ‘countermeasures’ but that could simply be my memory playing tricks on me.
As far as I know, there aren’t any states in the US where boobytraps are legal. That is, if you leave something you know (or should know) is dangerous lying around and it harms someone–even an intruder–you can be held liable in civil court. The successful cases I’ve seen have been either literal boobytraps (eg the ol’ tripwire shotgun) or horrendous code violations (eg a garage that’s impossible to get out of without a key).
I suspect you could get away with a malfunctioning gun, as long as it wasn’t literally rigged to blow, or otherwise deliberately rendered useless for anything but maiming the unsuspecting.
This has absolutely nothing to do with DoSsing random servers, you can’t DoS a server with this.
It’s random in the sense that you have no idea who your target is, and servers in the sense that it’s a computer sending and receiving lots of requests. This may not meet the technical definition of server but most peoole seem to have understood what I meant.
>It’s random in the sense that you have no idea who your target is
My target is the attacker that is trying to break into my server. I’m not even attacking them, simply giving them exactly what they requested, just not what they expected.
> servers in the sense that it’s a computer sending and receiving lots of requests.
This describes my cellphone. If someone is scanning the ports on my cellphone looking for an unsecured WordPress server, they are a target.
It’s not Random servers, it’s those attempting to break in, if someone was given permission that’s different then someone trying to force their way in. As far as I am aware there are no laws for or against this.
They are downloading the file from him. All part of the dangers of downloading and opening files of unknown origin.
Those servers are requesting data from your site. You’re giving it to them. Just a lot of it :) How can that be illegal?
The people that are responsible for the crashing servers are the botnet operators.
Also, hopefully it will give the infected server owners a heads-up to fix it. They clearly need one.
By the way to clarify my last comment: Most of these probes come from other hacked servers. You’re not crashing the botnet owners’ PCs, but random hosting providers.
Nevertheless, I think they are getting what they deserve. The IRC network I’m on has been hit with a lot of bot spam recently and I’ve been emailing the abuse addresses of the affected IP ranges and I’ve been appalled with the results.
About 50% of the times I get no reply (and see spam again from the same IP a few days later in several cases).
About 30% of the other times I get nonsense replies (“We don’t care, yhe customer is responsible to keep their wordpress up to date”).
Only about 20% they promise to do something (mostly western European hosters, in particular Germany).
Of course I understand that a hosting provider doesn’t manage their customers’ wordpress configs but really, they should take action when their server is highjacked and becomes a nuisance to the entire internet. Crashing it will definitely cause them to take action.
Working in the hosting industry, most times it is not the server that is hijacked but rather the clients files and user (which can and should be mitigated by a security professional and the user, on the users dime). We lose customers by taking drastic actions (such as suspensions), but is less costly than the server going down. We sent notifications to clients, but we also advise that the activity is against TOS and they need to clean it up. Very seldom is a system actually compromised fully that requires our intervention.
This isn’t a DOS attack… DOS would imply that are attacking them actively (which I personally am fine with that as well). This is more like a booby trap. It’s a passive attack that only triggers if you try to download the zip file and decompress it and it is placed on the server where normal users wouldn’t go etc…
DOS = denial of service. This attack denies someone service when triggered. Therefore DOS is a good description.
I prefer the simpler days. DOS = disk operating system. The lazy nerds of the world are running out of acronyms so have to re-use existing ones.
I hope their heads explode.
Nope. DOS has a specific meaning in this situation, and that is not it. You can’t change the meaning of a word to avoid being wrong.
Nice troll.
I would say so. Why is it legal for them to knock on your door repeatedly at 3 am or to peer into your windows to see if your door is unlocked? Turnabout is fair play imho. Plus it is non-destructive at the end of the day.
No, it’s like you crack my safe, take out the big bar of gold and drop it on your feet because it is very heavy. :-) And then perhaps notice it’s not gold, but painted tungsten. But nobody asked you to take it out anyway. I also did not offer it for sale to you as gold. So you get what you deserve.
brilliant!
gzip -9
(default is 6)
I noticed this too, and ran some tests: gzip -4 and above have the same result file size. For this data gzip -9 has the same result as the default gzip -6.
Has anyone done any sort of analysis of this? My quick and dirty attempt with wget simply retrieved the smaller 10MB file and my perlfu isn’t quite strong enough to whip up something with LWP off the top of my head.
He’s not just serving up a gzip file; the webserver is setting the headers so that it looks like an html file that’s been compressed, that needs to be decompressed on the receive side before being passed on to the caller.
Or specifically the client sends a page request:
Accept-Encoding: gzip, deflate, br
And the server replies with a valid file rather than a page:
Content-Encoding: gzip
It is funny, as it will catch a few rookies with sloppy programming.
Spider traps are acceptable on sites that don´t fear desisting by googlebot.
That is an interesting consequence, but googlebot should never request non-existing admin pages if there are no links to that non-existing file.
You could add those urls to your robots.txt file to be extra sure
Google will actively guess page URLs from existing URLs, and sniffs then from Chrome users.
But it does observe robots.txt
Have they tried Zopfli to compress it down even further?
I just tried and it seems that I can’t get it to output a file smaller than the gzipped one
Here is my results for a 1GB file and 50 iterations :
Original Size: 1073741824, Deflate: 1055629, Compression: 99.901687% Removed
Original Size: 1073741824, Gzip: 1055647, Compression: 99.901685% Removed
zopfli -v –i50 1Go 1181,48s user 1,91s system 99% cpu 19:43,44 total
Pfft. I’m sorry but if you are going to zip bomb, you don’t have to reinvent the wheel and the level of compression here is junior varsity at best. 42zip anyone? 42 kb file that literally EXPLODES into 4.5 petabytes.
https://en.m.wikipedia.org/wiki/Zip_bomb
Not possible. Zip isn’t a recognised HTTP delivery compression. gzip is a single file stream, not an archive of a file(s), so there is no “inside” thus no extractable file to extract to extract to extract,…
Read the blog article closely and you’ll see that the author is talking about 42.zip and explaining that browsers don’t understant zip as a page content.
Also, it doesn’t literally explode. It figuratively explodes.
Actually, one definition of explode is “increase suddenly in size, number, or extent” so I believe literally explode is correct.
You realize that’s a figurative meaning, right? That’s the whole point of literal vs figurative. Having the meaning doesn’t make it literal. Literal is when the meaning in use matches the original meaning for which the word was created.
There are a lot of people grasping at straws to avoid being incorrect on this article.
I doubt it makes any difference. The kiddies just look for positive results. It is like not answering your phone if you don’t recognise the CID. After a year of doing it, you find it makes no difference in the amount of spam calls you get. We pushed that game up a notch and now let the phone ring 10 times to waste time before playing an announce only message. We get a chuckle out of it, but it makes no difference in the volume of calls. They are not looking at any stats but “hits”.
This is more like rigging your phone so that if it gets too many spam calls from that number, the next call plays a loud noise. Someone with an in depth knowledge of codecs can probably figure out the bit sequence that decodes to the loudest possible signal.
The idea is that it makes the attacker code crash out and stop probing *anyone* until the attacker notices (maybe hours or days later) and restarts it. If you’re really lucky it retries the same address range, or from just after the last logged address… and hits the boobytrap again.
If they manually launched it and didn’t use a service or daemon to relaunch on exiting/seg-fault.
Automatically relaunching doesn’t help if it just crashes out again.
I acutally answer the call but put it on mute… since they never get any sound back I assume they count it as a dead line. Then I don’t have to deal with the ringing…
Try answering, pressing whatever key the bot says will transfer you to a human, then playing Mary Had a Little Lamb on the keypad until they hang up on you. They curse at you, and all you hear is beep bop boop bop beep beep beep.
I used to have a zip file like that, and used to the fill all free space on a Windows drive with zeros. Until I got around to writing a windows application that opens a file and writes zero’s until the drive is full. Filling free drive space with zeros is very helpful when making compressed images of whole drives (boot from Linux USB drive, then just cat /dev/sda, pipe through pigs, a multi-threaded version of gzip, and stream the resulting file over the network to a server using nc. a simple zcat piped to /dev/sda will write it back to the drive.)
More importantly what do we do about the ssh login attemps littering out logs?
Port knocking, or in some cases knocking harder
http://and1equals1.blogspot.ca/2015/04/port-knocking-by-knocking-harder.html
I’m guessing that somebody should make a program that imitates an SSH server, then takes very long time to respond – and then streams a really, really long banner (like, lots of banner text, and no compression supported), oh, and no logins and passwords would get accepted, but would be carefully logged instead (as well as keys, I think). I guess I could do it some day, I used some Python SSH server-imitating code with paramiko, and I think I based my code off somebody’s fake SSH server made for exactly this purpose. I wish there were enough time to get to doing that one day, of course =)
I have a friend whose final graduation work was a mail server (or the modification of a popular mail server) that detected spammers when they connected to deliver spam (by reverse ip checks, blacklists, etc) and started a…n…s….w…e…r…i…n…g… S…l… o….w…l…l….y….
Usually after a while they stopped trying to deliver spam for his server.
Have it send the spam back, 10x.
Doing better that that, make it accept any login and password, but then ignore further input and constantly stream random data.
Actually,…. you could implement the decompression bomb in ssh as well I think. So it would end up that you have minimal resource usage on your end but high resource usage on their end.
google fail2ban. In default settings – 5 attempts and they are out for 10 minutes for that IP.
Can actually scan other logs and ban by any actions that can fit a regular expression.
iptables -m recent –syn –dport 22 -j drop + port knocking – so that you’ll always get in (can also be implemented with iptables rules using -m recent). Works extremely well. You’ll get only the first attempt and when sshd kicks them out and they can’t immediately make another connection, they usually f*ck off. For the most determined/dumb ones just run a simple perl script that harvests the security logs and adds the IPs to ipset when there are more than x attempts. Don’t forget to add the port knocking before all the rejecting rules. ;)
freman@servah ~ $ sudo ipset list ssh_perm | wc -l
10708
I have a similar list for smtp, and a temporary version for smtp (auth fails go perm, spam goes temporary – which is 6 hours)
“More importantly what do we do about the ssh login attemps littering out logs?”
Depends on what you want to achieve.
Automated abuse reports are almost certainly a waste of time and might even get you into trouble with your hosting provider. Providing *they* actually care about abuse reports :)
A few years ago I sent an abuse report to ADSL24 – manually and after much provocation – and cc’d their upstream provider Entanet.
It came as quite a shock to learn that they’d forwarded it to my isp as a malicious complaint. And when that backfired on them, rather childishly started harassing me on the thinkbroadband forums.
It wasn’t so much of a shock a few months later to learn they were hand-in-glove with the likes of Andrew Crossley.
I have a fake ssh server on port 22
http://nic.ath.cx/fakesshd.tar.gz
which lets the scanners in after a few password guessing and then logs their commands.
some captures are here
http://uglyduck.ath.cx/honeypot/
For my web server I use apache’s re_write module and serve them random garbage
when they scan for vulnerabilities. My approach is to make the served text files to
compress badly by using random characters (because apache compresses them
on the fly) so they suffer a download time penalty. They need to parse the files
too on their end and all this slows them down a lot.
Heh. Avast says
Threat Blocked
Object
http://uglyduck.ath.ck/honeypot/fakesshd.txt
Infection
BV:Xorddos-C [Trj]
OTOH,
https://www.virustotal.com/en/url/b8777434f495676df4e3cc481775d563bae8c177151e8f82f22628c3cd983eaa/analysis/1499878239/
i run ssh on a non-standard port, and put the pair of lines in my .ssh/config so i don’t have to remember it:
Host my.host.com
Port 1234
The disadvantage is when I connect from a new device I have to remember it again.
Security through obscurity won’t do any good at all against an advanced persistent threat but stops your typical “worm” sort of attack cold.
“Nobody really knows if this works on the bad guys’ servers” I thought the “bad guys” mostly used other people’s computers. So all that’s really going to happen is some poor schmuck who’s already wondering why his machine is so slow is going to get nuked.
OK, maybe some script kiddie will fall for this and get the message. Or maybe he’ll get pissed and escalate things. My experience is that the script kiddies have short attention spans. If they can’t get in right away, they get bored and move on soon without me having to do anything.
And with the real “bad guys”, I’ll probably never know that they’ve hit me until it’s way too late.
If you get infected it’s your fault that it’s being used for criminal activity. Keep your machine up to date, pay for your software, use quality AV. Pay attention to your PC performance and hire an IT Professional if it’s acting up. All stupid simple stuff that doesn’t even cover the most obvious “know how to spot a phishing attempt, etc”
So the poor schmuck can use their machine coming to a complete failure as a warning sign. At the very least we need to take them offline if they are infected to stop the spread of the disease. If you are infected you don’t go out to a public park, you stay home and get well.
Script Kiddies will lose lots of potential progress if they don’t notice for a few hours or days, and if enough people start proactively defending their equipment it will discourage business and individuals in a meaningful way. I’m going to advise my clients to use this and other similar techniques and am already implementing it on my and my friends equipment.
“If you get infected it’s your fault that it’s being used for criminal activity.”
Complete and utter nonsense.
Fortunately, the law take a very different view.
I was a little worried about grandma!
It’s not just grandma. Even the best of us can get caught out.
Possibly, but that means that maybe the “poor shmuck” will actually do something about his computer being infected, once it actually affects him instead of just screwing other people.
Send him a lot of goatse.cx images. That’ll cause something to self-destruct.
Can anybody turn this into a WordPress-plugin for n00bs like me?
Sounds like a similar concept to portspoof (http://portspoof.org) in that your trying to turn the tables on would-be attackers.
You can also keep some sparse files around for things that will serve them out while compressing on the fly (tar, dump/restore, dd, and so on know how to deal with them correctly but most programs taking input as a stream (gzip for instance, or a webserver passing a file through zlib on its way out) don’t and will compress and send the whole shebang and so at the receiving end they get an unweildy large file while it can be stored in one block on your actual FS.
They are also good for taking out a man in the middle attackers, if your packets are getting snooped you can mess with any protocol that allows compression to choke any system that doesn’t know which packets have harmful payloads that should be dropped without being decompressed.
brilliant! but if attacker change default user agent of scanner bypass it…
I remember in ’93 I had a friend who was compressing .tar files down from 10mb to a couple of k, then would keep doing this until he had a 10 MB file again. Then wash rinse and repeat. A single file of his would decompress to around 10 GB. He would say if someone saw his file on a server, obviously, they didn’t know what they had. And if they did know what they had, they were just as evil as he was. Computers in ’93 just didn’t have the storage space to handle 10 GB, unless it was a corporate or a government server…;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;Bruce would shut you down if you “thought” you knew what you were doing.
So someone downloads a 500 layer tarducken at 10MB, then uncompresses and untars it to a 499 layer tarducken. That’s not particularly vindictive.
Best toy ever is NC or Net Cat, Make it sit on a port of your choice then when someone tries to connect to that port start feeding an endless loop of data to them with a ZIP header.. File on their end gets bigger and bigger if they try to download it or if they are in an SSH or terminal screen they get a nice repetitive message from you.
I wounder if it would be easier to just alter the header and footer to create a monster file or cause whatever archive application is doing the decompression to just continue to fill the file with zero’s.
I’d live to be able to implement things like this but I also lack the knowledge of where to even start.
Setting up a server is relatively easy but securing it takes a bit more effort.
I’d consider my self a bit more computer literate than the average joe but computers really haven’t been dumbed down enough yet for them to become an appliance that anybody can safely use.
http://swtch.com/r.zip check that out :) especially useful for servers extracting your files automatically
Gzip unfortunately can’t get higher than a 1032:1 compression ratio. There’s a 258 byte maximum passage that the huffman coding could get down to 1 bit each for distance and length. The new less-standard brotli standard can do 16MB passages so you could in theory get that 10MB file to expand to something like 64TB.
If I was making 10GB of zeroes, at least I’d call it “The Story Of 0 (uncut)”
heh.
Nice, but wrong audience I think.
Script-kiddies are like fish – and almost as intelligent in some cases – you need to use the right bait. Make it look like a ‘home movie’ (nudge, nudge. wink, wink).
Give it a ‘smartphone’ style name and stick it in a directory named “Private” or something similar.
C:\Windows\System32\ImportantFiles\Species\Human\Personal\2016-09-23 fun.avi
Tested it with Firefox (54.0.1 / 64bit) and nothing happens…Memory usage stays at ~4GB (out of 32GB)…
Meh, I don’t get web/email traffic from outside this country to my little home server so firewall blocks most Russian, Ukrainian, Chinese, African, etc. IP blocks + certain large hosters like Amazon, OVH, Hetzner, Digital Ocean, etc. + few large ISPs. I used to send abuse reports to ISPs but usually got no response. And yeah, my router ACL has about 900 deny lines but I very rarely see any crap on my logs… :D
Several years ago I saw script kiddies trying to run a Perl script via XSS: it connected to an IRC server with a random nick, joined to a certain channel, and then just idled on the channel, waiting for commands from master with a certain nick. Well, I joined to the channel with a random nick and waited. There was hundreds of servers all around the world running the script, but couldn’t report them to anyone because IPs were hidden and hostnames were partially. After few hours I saw the master getting disconnected (thanks, 3G!) and when he/she got connected back to the IRC server, his/her nick was taken… by me. I received butthurt private messages. Then he/she saw me giving a command to start UDP flooding the IRC server for one million seconds, and obviously then I got disconnected from the IRC server and couldn’t reconnect. There… no more crap on my logs.
That sort of ‘proactive’ response wouldn’t work now, modern malware is too sophisticated. It’s also against the law in both Europe and the US as well.
compression, JS loops, and memory corruption are the three possibilities for fighting back..
Once someone make a DPI firewall that would ‘attack back’ by using a vulnerability scanner on attacking IP addresses..
Such things did exist at one point and probably still do, but it’s no longer the ‘grey area’ it once was. The use of such tools is against the law in Europe, probably the US as well.
I would remedy ddos and spamming using a fast-flux DNS. Basically round-robin DNS with a lot of machines. Maybe even double-flux. But never the actual IP. Remote code execution, XSS, and SQLi I’d remedy with sandboxing and memory and request scanning from outside the sandbox.
Why not use premade resources?
https://bomb.codes anyone?
I remember an leaked Ultra compressed windows 7 iso down to 36mb, when self deflating (unknown Russian archiver) it took at least 3 hrs to remake an 3.6gb iso ????
Good job to annoy the intruders, i love it
you should use gzip -9 it is slower but gives better compression
Chromebook- 4GB Ram- didn’t seem to care. I let it get up to 6GB and I could still move windows around the screen with only a slight flickering. Linux power!