A zip bomb, also known as a decompression bomb or zip of death, is a type of denial-of-service (DoS) attack disguised as a seemingly small, legitimate archive file (such as ZIP, RAR, or 7z). When a user or system attempts to decompress the file, its highly compressed and often nested content rapidly expands into an impossibly large volume of data—potentially reaching terabytes or even petabytes. This exponential growth overwhelms the target system's storage, memory, CPU, or network resources, leading to crashes, hangs, or severe performance degradation.

Why Are Zip Bombs Dangerous?

Zip bombs exploit the inherent trust that users and security systems place in file compression utilities. Their danger lies in several factors:

• Stealth: The compressed file appears harmless and small, often passing initial security checks without raising suspicion.
• Resource exhaustion: Decompression consumes massive amounts of disk space, RAM, and CPU cycles, potentially rendering the entire system inoperable.
• Automated systems vulnerability: Email servers, antivirus scanners, and backup systems that automatically process archives are particularly susceptible.
• Chain reactions: A single zip bomb can trigger failures across interconnected systems, amplifying the impact.

How Does a Zip Bomb Work?

Zip bombs leverage the efficiency of compression algorithms by using repetitive data patterns that compress extremely well. The attack typically works through:

• Recursive nesting: Multiple layers of archives are nested within each other, with each layer containing additional compressed files.
• High compression ratios: Files containing repetitive data (like zeros) achieve compression ratios of millions to one.
• Exponential expansion: Each layer multiplies the final decompressed size, creating astronomical data volumes.

A famous example is 42.zip, which is only 42 KB when compressed but expands to approximately 4.5 petabytes (PB) of data. It consists of 5 layers of nested zip files, with each layer containing 16 zip files, ultimately resulting in 4.3 GB files at the deepest level.

Real-World Attack Scenarios

Zip bombs have been used in various attack scenarios:

• Email server attacks: Attackers embed zip bombs in email attachments to overload mail servers that automatically scan or unpack attachments for malware, causing widespread service disruption.
• Web application attacks: Uploading zip bombs to services that process user-submitted archives can crash web servers or storage systems.
• Antivirus evasion: Some attackers use zip bombs to overwhelm security scanners, creating windows of opportunity to deliver actual malware.

When Were Zip Bombs First Discovered?

Zip bombs emerged in the early 2000s as compression technology became ubiquitous. The concept gained significant attention around 2001-2002 when security researchers began documenting their potential for abuse. The infamous 42.zip file became a widely referenced example in cybersecurity communities, demonstrating the theoretical maximum damage possible from such attacks.

Which Tools Detect Zip Bombs?

Modern security solutions have developed various countermeasures against zip bombs:

• Antivirus software: Products from vendors like Sophos, ESET, Kaspersky, and Norton include specific detection for known zip bomb signatures and suspicious compression ratios.
• Email security gateways: Enterprise solutions limit decompression depth and monitor expansion ratios during attachment scanning.
• Specialized tools: Security utilities can analyze archives before extraction, flagging files with abnormal compression characteristics.
• Resource limits: System administrators can configure decompression tools to abort operations that exceed predefined size or time thresholds.

Protection Best Practices

To protect against zip bomb attacks, organizations should:

• Configure archive extraction tools with strict size and depth limits
• Implement monitoring for unusual resource consumption during file processing
• Keep antivirus and security software updated with the latest signatures
• Train users to be cautious with unexpected archive attachments
• Use sandboxed environments for processing untrusted archives