DDoS Attacks – XML Bomb, Zip Bomb and E-Mail Bomb

One thing which I love about Computer Science is the silly colloquial names given to various attacks produced by hackers and “script kiddies”. The Security field is filled with these great names, and three of these names will be mentioned in this single post.

DDoS (Distributed Denial of Service) Attacks are probably one of the most common, yet effective attack methods which are used by hackers to gain access to information or control of a server.

A DDoS Attack mostly has one purpose: to stop users having access to a service. DDoS Attacks can be carried through various means, but there is three quite fun methods which I want to discuss; XML Bombs, Zip Bombs and E-Mail Bombs.

XML Bombs:

The XML Bomb is a simple and very effective DDoS Attack method. It is aimed to overcome servers and users’ computers by overwhelming the computing resources of a .XML parser.

The XML Bomb takes advantage of the entity feature available within the .XML document code. An entity allows every instance string variable to be replaced with a certain desired string which tends to appear very often such as a company name with employee details (see later example from Microsoft). This string will be nested within several other entities; exponentially increasing the number of strings to be parsed.

XML Microsoft Code

XML Code Sample from Microsoft

The above code sample is an example of a normal .XML document. However, the most common malicious code sample consists of a copious amount of the online chat rooms most favored acronym: the “lol” string.

XML Bomb Code - Wikipedia

XML Bomb Code – Wikipedia

Each entity contains nested within it, the next entity repeated ten times, which then contains the other entity ten times and so forth. This small segment of legal XML code will devastate an XML parser. The above variation takes an exponential amount of space (complexity class).

Although, there is another variation of the XML Bomb called the Quadratic Blowup, and this sample of code when run will take quadratic amount of space.

The Quadratic Blowup technique creates one very long entity, which is then nested to some arbitrarily large number. This causes a huge amount of memory to be consumed, thus causing serious resource problems.

Microsoft XML Code Sample - Quadratic Blowup

Microsoft XML Code Sample – Quadratic Blowup

There is one final variation of the XML Bomb, and that is using External Entities. This method uses URLs instead of strings, therefore when the entity is encountered within the code, a request will be sent to that particular server, although, typically this server will not respond for a infinite amount of the time. The HTTP request handler will enter a infinite wait loop.

Microsoft Code Sample

Microsoft Code Sample

Zip Bombs:

The Zip Bomb, as the name suggests, is the result of a malicious zip file which will unpack itself recursively forever. The most famous example is the 42.zip, which is only 42KB, but when unpacked will expand to an unbelievable size.

The file can still be found freely available on the Internet, this is supposedly a link to the said file – Multiple Vendor File Scanner Malicious Archive DoS Vulnerability

I haven’t downloaded and unpacked the file myself (for obvious reasons), but I would advise caution if you really wish to unpack the file. I will not take any accountability if you do choose to download the file.

There is not much to say about this method of DDoS, since there isn’t much to it at all.

E-Mail Bombs:

E-Mail Bombs primary purpose is to overcome e-mail services and servers by simply filling the user’s inbox with junk mail. The Zip Bomb technique makes an appearance too, since .EXE and .ZIP files have begun to be sent via e-mails, companies such as Microsoft would begin to scan these files and alert the user if they contained malicious content. Unfortunately, script kiddies and obnoxious office colleagues would drop Zip Bombs within their email attachments, thus releasing the mentioned problems of an exploding Zip Bomb occurring within the victims inbox.

Mass Spam and List Linking are two other common techniques used with E-Mail Bombs, and both share common characteristics. The Mass Spam method is something which everyone has experienced, but imagine a botnet being created which would send billions of spam mail to your inbox? This is mass spam. A simple script can be created to send mass spam to a particular set of addresses.

Alternatively, you can simply forward the same e-mail to the same address through copy and pasting. Most e-mail clients will detect this, and only send one e-mail.

2014-11-07 15_13_42-E-Mail BombOn the other hand, the List Linking method is quite similar, the List Linking technique uses the victim’s e-mail address to subscribe to a vast number of e-mail subscriptions without the acknowledgment of the victim. The victim is then bombarded with a spew of junk subscriptions such as penis enlargement pills and other obscene nonsense.


XML Denial of Service Attacks and Defenses

algorithm – How does one make a Zip bomb? (Stack Overflow)




About 0x14c

I'm currently a Software Developer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Computer Science, System Security and tagged , , , , . Bookmark the permalink.

3 Responses to DDoS Attacks – XML Bomb, Zip Bomb and E-Mail Bomb

  1. I’m still learning from you, as I’m making my way to the top as well.
    I definitely liked reading all that is written on your blog.Keep the posts coming.
    I loved it!


  2. Hi mate, i too am a computer science student. Seeing your blog posts, i got an inspiration. Do check out mine 😀


  3. noob says:

    Same dude i am student computer too


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s