TL;DR
A tarbomb is a malicious archive that can extract an enormous number of files, potentially filling up your disk space and causing denial-of-service. While it won’t directly override vital system parts in the way malware does, it can make your system unusable and create opportunities for other attacks. This guide explains how tarbombs work, how to detect them, and how to prevent them from harming your systems.
What is a Tarbomb?
A tarbomb (also known as a zip bomb when using ZIP archives) is an archive file designed to expand into a very large size when extracted. It contains many small files, often with identical names, that quickly consume disk space.
How Does a Tarbomb Work?
Tarbombs exploit the compression algorithms used in archive formats like tar and zip. They use highly compressible data (often repeated strings) to create a small archive file that expands exponentially when decompressed. A seemingly harmless 10KB tarball could expand into gigabytes of files.
Can a Tarbomb Override My System?
No, not directly. A tarbomb doesn’t contain executable code to modify or replace system files like viruses or rootkits do. However, it can cause serious problems that lead to compromise:
- Disk Space Exhaustion: Filling up your disk space prevents legitimate applications from running and can crash the system.
- Denial of Service (DoS): A crashed or unusable system is a form of DoS attack.
- Exploiting Weaknesses: While filling up the disk, it might expose vulnerabilities in filesystem handling or logging mechanisms.
How to Detect Tarbombs
- Archive Size vs. Expected Content: Be suspicious of archives that are unusually small for their claimed content. For example, a tarball claiming to contain a large software project but only being a few kilobytes in size is a red flag.
- File Count Before Extraction: Use the
tarcommand with the--list-filesoption (or similar tools for other archive formats) to see how many files are inside *before* extracting them. A very large number of files should raise suspicion.tar --list-files suspicious_archive.tar | wc -l - Extraction Size Estimation: Some tools can estimate the extraction size without actually extracting the archive. For example, using
du -shafter a partial extraction (see step 4) can give an indication.tar -xvf suspicious_archive.tar --directory=/tmp/testdir # Extract to a safe directory du -sh /tmp/testdir - Partial Extraction: Extract the archive to a temporary, isolated directory with limited disk space. Monitor disk usage during extraction.
mkdir /tmp/testdir tar -xvf suspicious_archive.tar --directory=/tmp/testdir
How to Prevent Tarbomb Attacks
- Be Careful with Downloads: Only download archives from trusted sources. Verify the source’s authenticity before downloading anything.
- Scan Archives Before Extraction: Use an antivirus or malware scanner on any archive file before extracting it.
- Limit Archive Extraction Size: Implement limits on the maximum size of extracted files and directories. This can be done using tools like
ionice, resource limits in your operating system (e.g.,ulimit), or custom scripts.# Example using ulimit (Linux/macOS) ulimit -s 1024 # Limit maximum file size to 1MB tar -xvf suspicious_archive.tar - Use Sandboxing: Extract archives in a sandboxed environment (e.g., using Docker or virtual machines) to isolate the potential damage.
- Filesystem Quotas: Implement filesystem quotas to limit the amount of disk space users can consume, preventing tarbombs from filling up entire partitions.
What to Do If You Suspect a Tarbomb
- Stop Extraction Immediately: If you notice excessive disk usage during extraction, immediately stop the process (e.g., using
Ctrl+C). - Isolate the System: Disconnect the affected system from the network to prevent further damage or spread of potential attacks.
- Clean Up Disk Space: Free up disk space by deleting unnecessary files and directories.
- Investigate the Source: Determine where the tarbomb came from and take steps to prevent similar incidents in the future.