Zip Bomb and Decompression Bomb

This defensive cybersecurity guide explains what a zip bomb is, how decompression bombs work conceptually, their history, and how to detect and prevent them safely.

What is a Zip Bomb?

A zip bomb, also known as a decompression bomb or zip of death, is a harmful archive file. It overloads systems by taking advantage of how they extract compressed files.

Quick Answer

A zip bomb, also called a decompression bomb, is a compressed file designed to expand into a very large amount of data when extracted or scanned, potentially exhausting disk space, memory, CPU, or antivirus resources.

Key Characteristics

Highly compressed files (e.g., 10 KB ZIP expands to 1 TB)
Recursive compression (nested archives that trigger further extraction)
Intentional system overload (targeting RAM, CPU, and storage)
Bypasses security scans (appearing harmless until decompressed)

When the victim tries to open the Zip bomb, it reveals many nested archives. Each archive has larger files inside. As a result, the victim's system resources are quickly exhausted, causing the system to crash or slow down.

History of Zip Bombs

They have been in existence for many decades, and have evolved along with advances in technology and cyber security. Researchers trace the concept back to the early days of compression algorithms and archive file formats, such as ZIP, RAR, and 7z.

One of the earliest examples was the 42.zip file, created in the late 1990s. It was a relatively small archive file that, when decompressed, expanded into an enormous 4.5 petabytes of data. At the time, this was an impractical joke rather than a serious threat since storage and processing power were limited.

However, as technology advanced, so did the potential for decompression bombs to become more disruptive.

How Does a Zip Bomb Work?

To understand the methodology, it is necessary to understand the compression algorithms and the theory behind archive file formats. The ZIP format is the most common target for Zip bombs. However, similar ideas can also apply to other formats like RAR or 7z.

Compression algorithms aim to reduce file sizes by identifying recurring patterns and redundancies in data. Someone replaces these patterns with shorter references or codes. During decompression, the process reconstructs the original data by reversing these transformations.

A Zip bomb exploits the recursive nature of compression algorithms. Here's a simplified step-by-step explanation of how it operates:

The attacker creates a ZIP archive containing several nested layers of compressed files.
Each nested layer becomes smaller than the one before. This helps decompression software keep expanding the archive.
When the victim opens or decompresses the Zip bomb, the decompression process begins. As the nested layers are sequentially unpacked, the archive's apparent size increases exponentially.
Eventually, the decompression process consumes an overwhelming amount of memory and system resources, causing system instability, crashes, or slowdowns.

Designers make zip bombs that look like small files at first. This makes them tempting for victims to open or decompress. Their real danger comes from their ability to grow larger during decompression. Because of this, they are called decompression bombs.

Recursive and Overlapping Archive Concepts

Zip bombs are often discussed in two broad conceptual forms. Recursive archive bombs contain layers of compressed files inside other compressed files. Overlapping archive techniques attempt to make compressed data expand in unexpected ways when processed by vulnerable tools.

This page does not provide instructions for creating malicious files. The goal is to help learners understand the risk so they can detect, block, and handle suspicious archives safely.

How to Detect and Prevent Zip Bombs

Use modern antivirus programs and email gateways that detect suspicious archive expansion ratios.
Limit maximum archive depth, extracted size, file count, and decompression time.
Scan unknown archives in isolated environments instead of production systems.
Block suspicious compressed files from untrusted sources.
Keep archive tools, scanners, and operating systems updated.

Summary

Zip bombs are not viruses or malware. However, they can overwhelm systems. This makes them an important topic in cyber security and ethical hacking.

They can be like hidden troublemakers in files, causing computer problems when you least expect them. To stay safe, use good antivirus software, be cautious with large files that may contain malware, and only open files from sources you trust.

When using archive files, keep track of compression, use passwords when needed, and stay organized with clear file names. With these precautions, you can protect yourself from malicious archive files and other sneaky threats in the digital world.

FAQs

A zip bomb is a compressed file designed to expand into a very large amount of data when extracted or scanned, potentially exhausting system resources.

42.zip is a famous historical example often discussed to explain how a small compressed file can expand into a very large amount of data.

Use modern scanners, limit archive extraction size and depth, block suspicious attachments, and inspect unknown archives in isolated environments.

Sources and further reading

OWASP File Upload Cheat Sheet — Safe file upload and archive handling guidance
CWE-400 - Uncontrolled Resource Consumption — Resource exhaustion weakness reference
CISA - Malware Basics — General malware and file safety awareness