|
|
|
|
|
|
by happymellon
597 days ago
|
|
|
Unless I misunderstood, there was a gzip transfer encoded gzip. The transfer-encoding means that the proxy has to decompress a 200kb request into a 2Gb response to the client, and the client will receive a 2Gb file that will expand to 20Gb. Small VM gets knocked offline and the proxy gets grumpy with the client for large file transfers. |
|
|
Yes, correct. A gzip bomb inside a gzip bomb that contains only null bytes, because it's much larger on the client side when unpacked.
A "normal" gzip bomb that would only leverage "Content-Encoding: gzip" or only "Transfer-Encoding: gzip" isn't really good as for compression ratio, because the sent file is in the megabytes range (I think it was around 4MBish when I tried with gzip -9?). I don't wanna send megabytes in response to clients, because that would be a potential DoS.
edit: also note the sibling comment here: https://news.ycombinator.com/item?id=41923635#41936586