How I Stopped Bot Floods with a Tiny Zip Bomb on a $6 Server

Since launching the blog, a post went viral on Hacker News and Reddit, causing a traffic tsunami that nearly crashed the small Apache server. The author saved server logs and created a visualization showing each web request as a moving circle, distinguishing robot versus real user agents and response types such as 200 OK, redirects, 404 Not Found, and zip bomb attacks.

Server Specs

Host: DigitalOcean (1 GB RAM)

Web Server: Apache 2

Environment: Ubuntu + PHP

Database: MySQL

Cost: $6/month

The blog runs on a custom PHP framework with most pages cached in memcached, limiting database queries to once per hour. Despite the lightweight setup, the server handled millions of requests, including a post that topped Hacker News.

Traffic Timeline

4:43 PM PST – Post submitted to Hacker News.

4:53 PM – Flood of bots hit the homepage.

5:17 PM – Hacker News rank #1, traffic surged.

8:00 PM – Moderators renamed the entry, traffic dropped.

3:56 AM – Bot scanned 300 URLs for vulnerabilities.

9:00 AM – Traffic spiked again from Mastodon.

9:32 AM – Spam attack: ~4,000 requests in one minute.

4:00 PM – 46,000 requests processed in 24 hours.

Even with 46 k requests, CPU never exceeded 16 % thanks to efficient caching.

Zip Bomb Defense

Most internet traffic comes from bots, some benign (RSS readers, search engine crawlers) and some malicious (spam, vulnerability scanners). To mitigate harmful bots, the author uses zip bombs—small gzip files that expand to gigabytes when decompressed, exhausting the bot’s memory.

Example of a zip bomb creation command:

dd if=/dev/zero bs=1G count=10 | gzip -c > 10GB.gz

Explanation: dd: copy/convert data. if=/dev/zero: input stream of zero bytes. bs=1G: block size of 1 GB. count=10: generate 10 GB of zeros.

The resulting file compresses to about 10 MB but expands to 10 GB when extracted, enough to crash most bots.

PHP middleware detects malicious requests (e.g., known bad user‑agents or WordPress‑specific paths) and serves the zip bomb:

<?php
header("Content-Encoding: gzip");
header("Content-Length: " . filesize('10G.gzip'));
if (ob_get_level()) ob_end_clean();
readfile('10G.gzip');
exit;
?>

This approach acts as a lightweight shield against content‑scraping bots without needing expensive infrastructure.

Lessons Learned

Hacker News moderators can change your article title without notice.

Most traffic originates from bots, not humans.

Apache thread limits matter; the author observed a max of 75 threads.

Optimized, low‑cost configurations with caching can handle tens of thousands of requests without Kubernetes.

Author: 行动中的大雄 References: https://idiallo.com/blog/pc-is-not-dead-no-need-for-new-ones https://github.com/ibudiallo/reqvis