What Is Fork Bomb Attack? How To Prevent In Linux?

What is fork bomb attack?

The fork bomb attack is a form of denial-of-service attack which uses the fork functionality to recursively create running processes by a single process. This attack works by creating a large number of processes very quickly in order to saturate the available space of the OS’s process table. Once the process table becomes saturated, no new programs may start until another process terminates. Also, fork bomb processes will make use of the processor time and memory so that the legitimate processes will not be able to run properly. Fork bomb attack can occur in bash shell, C++, perl, python, etc.

Examples of fork bomb.

In this article, we will learn about a bash fork bomb and its working. Following is a well-known example of a fork bomb.

:(){ :|:& };:

We can see the functionality of the above 13 characters to see how it works as a fork bomb.

:() => This defines the function. “:” is the function name and the empty parenthesis shows that it will not accept any arguments.

{ } => These characters shows the beginning and end of function definition.

:|: => It loads a copy of the function ':' into memory and pipe its output to another copy of the ':'-function, which has to be loaded into memory.

& => This will make the process as a background process, so that the child processes will not get killed even though the parent gets auto-killed.

: => Final “:” will execute the function again and hence the chain reaction begins.

Executing the above command will make the system unresponsive very quickly. Stopping fork bomb attack requires destroying all running copies of it. So, you may need to reboot the system to kill all the fork bomb processes. So, be very careful while using the above command. In most of the cases, reboot is the only way to get rid of the started fork bomb attack.

Preventing fork bomb attack.

As I already stated, fork bomb attack works by recursively creating processes by a non-root process. So, we will be able to prevent fork bomb attack by limiting the number of processes that can be created by a user. This can be done in two ways.

• Using ulimit to set process limit – Temporary solution.

In order to view all system resources allocated to your shell, you can execute the command:

ulimit –a

In order to view only maximum number of allowed processes, execute:

ulimit –u

You can limit the number of processes to 150 by executing the following command:

ulimit –u 150

This is a temporary arrangement to prevent Fork Bomb. Once you log out from your shell; in next login the process limit will again be reset.

• Using /etc/security/limits.conf – Permanent method.

You can set limits on the maximum number of processes that can be created by a user, by editing the file /etc/security/limits.conf as follows.

test soft nproc 100
test hard nproc 200

The above setting will set the soft limit for the number of processes that can be created by the user “test” to 100 and the hard limit to 200. That is, the user will be able to run 100 processes and the next processes will not be forked. The hard limit ‘200’ defines that the user can increase the soft limit using ‘ulimit’ command till 200 and won’t be able to increase beyond this hard limit.

This will prevent the fork bomb attack from abusing the system resources and crashing the machine.
Also, there is a kernel level patch called grsecurity which enables logging of which user has started a fork bomb.

Bobbin Zachariah 6:35 pm

About Bobbin Zachariah

Founder of LinOxide, passionate lover of Linux and technology writer. Started his career in Linux / Opensource from 2000. Love traveling, blogging and listening music. Reach Bobbin Zachariah about me page and google plus page.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.