In this article, we will explain how to use fork bomb on Linux OS. We will also go over its different types and what you need to do to prevent one.
A fork is basically a type of denial of service (DoS) attack executed against a host system in Linux to compromise its availability. Since it uses the fork command, it is therefore called a ‘fork bomb’. You may have seen the following cute-looking code quite often in Linux:
:(){ :|:& };:
This is a very simple and popular fork bomb as it doesn’t use complicated long scripts; just a few special characters are used. The above function can bring down your system by hogging up all the resources. The only solution is to reboot.
Since a fork bomb is a type of denial of service (DoS) attack, it utilizes 100% central processing unit (CPU) usage by replicating itself and making the system unstable. We will see in this article what a fork bomb code is, its various forms, and how we can prevent a fork bomb from hogging up your resources in Linux.
What is a fork bomb code?
As we mentioned earlier, a fork bomb is a destructive code based on forking a process an infinite number of times in Linux. It is a denial of service (DoS) attack that will make your system unavailable and eat up all your system’s resources. Before discussing the process of launching a fork bomb, let’s discuss a few basics.
Fork and exec
In UNIX, a program can execute a child process in two ways. Initially, it can use the exec command that spawns a child process replacing itself when it’s done. Alternatively, a program can use the fork command that allows it to remain and makes a copy of it.
The fork bomb employs the fork command to infinitely fork process until the system has no memory left. The following figure illustrates the process.
Functions in bash programming
In bash programming, a function can be defined as follows:
test (){
arg1=$1
arg2=$2
echo 'Testing..'
#do other things
}
In the above code, we defined a function test. This function assigns arguments 1 and 2 passed as command lines to variables and then just echoes testing.
Recursion
A function that calls itself is called a recursive function, and this process is called recursion. For instance, the following is a simple recursive code to calculate factorial:
factor (n){
if (n==1) {
return 1
}
else
return n * factor(n-1)
}
The above function recursively calls itself until the number reaches a) At that point, where it returns with returning b) The returned value is passed back, and the calling functions in the activation stack will then be executed until the final value of the factorial is calculated.
Like the above recursive function, the fork bomb code is based on recursively calling a function and forking child processes.
The simplest fork bomb
The simplest fork bomb is defined as follows:
:(){ :|:& };:
Let’s explain this code.
- :() defines a function. The name of this function is “:” and it accepts no arguments
- {} starts and ends the body of the function
- :|: calls the function recursively. It loads a function in memory and pipes its output to the copy of the same function “:”
- & implies that the function is executed in the background such that no child process is terminated
- ; separates each child function from the chain of multiple executions
- : runs the recently created function. The chain reaction actually begins here
Other forms of fork bombs
The simplest fork bomb code above is not the only piece of code that can be used to launch a fork bomb. For instance, the following is another fork bomb code that is much more readable for normal users.
forkbomb(){ forkbomb | forkbomb & }; forkbomb
Preventing fork bomb
And since we’ve already introduced you to the basics of fork bombs, we will now discuss the two ways of preventing them.
Setting the limit from the command prompt
You can prevent the fork bomb by setting the limit for the maximum number of processes created by a user in Ubuntu. You can check this limit by using the following command. First, open the Terminal from the System Menu and type the command:
$ulimit –u
For most of the Linux distributions, it should be around 10k. This value is very large. You can set this value to around 5k, which should be enough for users in Linux. Type the following command to set this limit:
$ulimit -S -u 5000
The above settings will only work for specific users. You need to apply this limit to the whole group. To do this, you need to edit the file /etc/security/limits.conf. Type the following command to open the file in your favorite editor:
$sudo nano /etc/security/limits.conf
Edit the file and add the following lines:
@staff hard nproc 5000
The above line will apply the changes to the staff group. For a specific user such as khan, you can use the following lines to set its limit:
Khan hard nproc 5000
Tip: Fork bombs are not any security breach or weakness of the Linux system. It is the responsibility of a system administrator to limit the number of processes that a user can spawn.
Final Thoughts
In this article, we have discussed what a fork bomb is and that it forks a child process that hangs the system and uses up all its resources. We also covered the simplest fork bomb codes based on using a few special characters and the other forms of fork bomb codes.
Lastly, we talked about how to prevent fork bomb codes from activating by setting limits using the command line or editing the limits.conf file.
If this guide helped you, please share it.
