ZIP bombs: big trouble in a small package
Imagine this: You receive an email with a seemingly harmless ZIP file attached, just a few kilobytes in size. Your system begins to unzip the file, and crashes. What follows is a system failure, wasted storage space, or, in the worst case, a gateway for further malicious code. The cause is a ZIP bomb, detonating within your IT infrastructure. In this blog post, we explain what ZIP bombs are, how they overload systems through extreme data compression and serve as a distraction for attacks, what variants exist, and how to effectively protect against them using multi-layered security mechanisms like NoSpamProxy.
What is a ZIP bomb (archive bomb)?
A ZIP bomb, which is also known as an archive bomb, decompression bomb, or “Zip of Death”, is a manipulated archive that generates a disproportionate amount of data when extracted. The file itself is small and unassuming. However, its contents are designed to overload the memory, CPU, and hard drive of the processing system until they reach their limits.
The basic principle exploits a legitimate feature of the ZIP format: data with high redundancy such as files consisting exclusively of identical characters can be highly compressed. What appears to be 42 kilobytes can release 4.5 petabytes of data after extraction.
Why are ZIP bombs dangerous?
The real danger lies not only in resource exhaustion, but in what happens afterward. Archive bombs are often used as a diversionary tactic: while the security system is busy extracting the files, other malicious code sneaks into the network unnoticed.
Possible consequences of an attack include memory and CPU exhaustion, leading to a complete system crash or shutdown; the neutralization of virus scanners through crashes or freezes; targeted denial-of-service attacks on mail servers and gateways; as well as data loss and operational disruptions when systems crash and running processes suddenly stop.
What types of ZIP bombs are there?
Not all ZIP bombs are the same. There are three different variants, each with a distinct structure and requiring different protective measures.
Particularly insidious is the fact that many archive bombs use a single compressed data core (kernel) that is referenced multiple times. This kernel (a single, compressed data block, e.g., gigabytes of zero bytes) is stored only once in the archive, but listed hundreds or thousands of times as a separate “file” in the archive’s directory.
The archive is then tiny, since the kernel exists only once. During extraction, each of these referenced “files” is extracted individually and written to the storage medium hundreds or thousands of times as a complete file. Since the content is identical, it takes up hardly any space in the archive, but during extraction, it multiplies explosively.
How can I spot ZIP bombs?
It’s difficult to reliably identify a ZIP bomb just by looking at it, but there are warning signs that both security solutions and experienced administrators can detect.
Can NoSpamProxy protect against ZIP bombs?
NoSpamProxy relies on multiple, interlocking mechanisms that block ZIP bombs at various levels.
The content filter checks email attachments for file type, filename, and archive contents—even within ZIP archives. Malicious or prohibited content is detected, and the email is rejected before the attachment is delivered.
Deeply nested ZIP archives and password-protected files can be completely removed, or the entire email can be rejected. Additionally, the file type “Encrypted ZIP File” is available in the content filter, allowing this file type to be detected in attachments so that these emails can be rejected.
The cloud-based 32Guards service supplements the content filter with behavior-based analysis: Unknown or suspicious attachments are opened and monitored in the 32Guards sandbox in an isolated environment. If a file behaves suspiciously during extraction—for example, because it consumes a disproportionate amount of memory—it is classified as suspicious and blocked. This is particularly relevant for new variants of archive bombs that do not yet have a known signature.
At an earlier stage, the email authentication methods SPF, DKIM, and DMARC come into play. Among other things, they ensure that an email actually originates from the specified sender. This allows forged sender addresses to be detected before the attachment is even checked.
The DMARC Report Analyzer 25Reports helps administrators correctly evaluate DMARC reports, present them in graphical form, and optimize their own DMARC configuration. This allows administrators to ensure that their company’s identity is not misused to send ZIP bombs.
Conclusion
ZIP bombs are not a new threat, but they remain a concern because new variants are designed to bypass existing security measures. They are particularly dangerous when used as a diversionary tactic: while security systems are busy extracting files, they leave the door open for additional malicious code. Effective protection requires multiple layers. With NoSpamProxy, you are fully protected.
Optimal Protection with Email Firewall and DMARC Monitoring & Alerting – Free Trial Available Now
Reliably protect your email infrastructure against threats such as ZIP bombs and other sophisticated attacks. With NoSpamProxy, you can rely on a powerful, multi-layered security solution “made in Germany” that effectively reduces the load on your systems and stops attacks early on. Try NoSpamProxy for free now and see for yourself how it delivers maximum email security. In addition, the DMARC Report Analyzer NoSpamProxy 25Reports helps you transparently analyze your DMARC setup and optimally protect your domain against abuse.
