What is a fork bomb and how can it be prevented? |SupportPro

A fork bomb is a type of denial-of-service attack that can be executed on a computer system. It is a malicious program or script that creates a large number of processes, overwhelming the system and causing it to slow down or crash. The fork bomb works by creating a large number of child processes, which in turn create more child processes, leading to an exponential growth in the number of processes.

The code for a fork bomb is often written in bash and executed in the command line. Once activated, a fork bomb may not be possible to stop without rebooting the system, as it can quickly consume all system resources.

System administrators can use fork bombs to test the process limitations of user accounts on their systems. However, it is important to understand the potential harm that fork bombs can cause, as they can crash a system if executed improperly.

To prevent a fork bomb attack, it is recommended to limit the number of processes a user can create on the system. This can be done by editing the /etc/security/limits.conf file on a Linux system and setting specific limits for individual users or groups. This will restrict the number of processes a user can initiate, preventing a fork bomb from overwhelming the system.

WARNING! These examples may crash your computer if executed.

Understanding fork bomb code in Linux/UNIX

:(){ :|:& };:

————————————–

:() # define ‘:’ — whenever we say ‘:’, do this:

{ # beginning of what to do when we say ‘:’

: # load another copy of the ‘:’ function into memory…

| # …and pipe its output to…

: # …another copy of ‘:’ function, which has to be loaded into memory

# (therefore, ‘:|:’ simply gets two copies of ‘:’ loaded whenever ‘:’ is called)

& # disown the functions — if the first ‘:’ is killed,

# all of the functions that it has started should NOT be auto-killed

} # end of what to do when we say ‘:’

; # Having defined ‘:’, we should now…

: # …call ‘:’, initiating a chain-reaction: each ‘:’ will start two more.

————————————-

Properly configured Linux / UNIX box will not go down when fork() bomb sets off.

Given that ‘:’ is an arbitrary name for the function, an easier to understand version would be:

forkbomb(){ forkbomb|forkbomb & } ; forkbomb

A fork bomb using the Microsoft Windows batch language:

————————————–

%0|%0

————————————–

In DOS:

This will spawn multiple command lines causing the computer to go into a complete loop. Any attempt of stopping this will cause the computer to make an r non-stop beeping sound.

————————————–

command:command

————————————–

In Perl:

————————————–

fork while fork

————————————–

In Ruby:

————————————–

fork while fork

————————————–

In Python:

————————————–

import os

while True:

os.fork()

————————————–

In C or C++:

————————————–

#include <unistd.h>

int main(void)

{

for(;;)

fork();

return 0;

}

————————————–

In PHP

————————————–

while(pcntl_fork()|1);

————————————–

In Java

————————————–

public class ForkBomb

{

public static void main(String[] args) throws java.io.IOException {

while(true) {

Runtime.getRuntime().exec(new String[]{“java”, “-cp”, System.getProperty(“java.class.path”), “ForkBomb”});

}

————————————–

How can you protect/prevent your Linux box from getting attacked by a fork bomb:

Limiting user processes is important for running a stable system. To limit user process just add user name or group or all users to /etc/security/limits.conf file and impose process limitations.

Understanding /etc/security/limits.conf file

Each line describes a limit for a user in the form:

Where:

* <domain> can be:

-user name

-group name, with @group syntax

-wildcard *, for default entry

-wildcard %, can be also used with %group syntax, for maxlogin limit

* <type> can have the two values:

– “soft” means setting the soft limits

– “hard” means setting hard limits

* <item> can be one of the following:

– core – limits the core file size (kb)

* <value> can be one of the following:

– core – limits the core file size

– data – max data size

– fsize – maximum filesize

– memlock – max locked-in-memory address space (kb)

– stack – max stack size

– nofile – max number of open files

– rss – max resident set size

– maxlogins – max number of logins for this user

– cpu – max CPU time (min)

– nproc – max number of processes

– locks – max number of file locks the user can hold

– as – address space limit

– rtprio – max realtime priority

– maxsyslogins – max number of logins on the system

– priority – the priority to run user process with

– sigpending – max number of pending signals

– msgqueue – max memory used (bytes)

– nice – max nice priority allowed to raise to

– chroot – change root to directory

Login as the root and open configuration file:

# vi /etc/security/limits.conf

Following example will prevent a “fork bomb”:

arun hard nproc 300

@staff hard nproc 50

@manager soft nproc 100

@pusers hard nproc 200

Here the above example will prevent anyone in the staff group from having more than 50 processes, manager and pusers group limit has been set to 100 and 200. Arun can create only 300 process.

Now, save and close the file.

Test your newly configured pc by dropping a form bomb:

$ :(){ :|:& };:

If you require help, contact SupportPRO Server Admin