What Is Fork Bomb And How Can You Prevent This Danger?

forkbomb-bg

If you are not thrilled with the real bomb, you can try typing this  :(){ :|:& };:  on your Linux terminal to crash your computer. you do not need to be the root user to do that. That string is known as the Fork bomb. Before you get to know how that works, it would be better to know what a fork bomb does exactly.

WHAT IS A FORK BOMB?

Fork_bomb

The name sounds Fork bomb does not throw dining forks at you, when you executing the strings in terminal. In terms of nixology (Linux & Unix) the word fork means, to create a new process.Similarly, when you create a new process using ‘fork’ (actually a function that can be called on Linux/Unix-like machines), the new process is created from the image of the original one and is basically a inherited copy of the parent process.
A fork bomb will calls the fork function indefinitely and rapidly in no time, thus exhausting all system resources. It comes in the category of Denial of Service attack due to its nature of quickly ripping up system resources and making it unusable within a very short span of time.

All these special characters stands with their unique functionality in *nix operating system. Fork bomb actually associated with the concept of recursion in bash script by using functions in it.

Syntax of function in bash,

<em>function_name()</em>

{
Commands
}

HOW FORK BOMB WORKS?

In this case ‘:’ colon is the function name then followed by ‘()’ parentheses and curly brace ‘{‘ to open a function, then the definition of ‘:|:&’ tells the bash  to launch the ‘:’ function and ‘|’ pipe its output to the same function ‘:’ and send the process to the background defined by ‘&’, so that it can’t be killed by hitting “Ctrl + C”. Then the close curly brace ‘}’ followed by ‘:;’ which points the function again to keep the process recursive.

To launch the bomb, all you need to do is just to copy or type   :(){ :|:& };:   this code in Terminal and hit Enter. Your session will get slow down to hell in matter of seconds and you will be left with no option but to go with warm reset. The actual time in which your system will succumb to paralysis depends on the speed of your processor, number of processing cores available and the amount of RAM installed. Even though the size of swap partition is also a factor, if it starts getting used by the bomb, the system would typically take long enough to respond for you.

Before we proceed further let me make sure that Fork bomb is not a property of Linux, the technique of creating new processes does work on Windows as well and also the same problem can be raised in other system programming languages such as C or C++, for your instance  compile the following code and execute it, you will come to know that.

<em>FORK BOMB IN C</em>
<em>#include</em>
<em>int main(void) {</em>
<em>    for(;;)</em>
<em>    fork();</em>
<em>    return 0;</em>
<em>}</em>

HOW TO PROTECT FROM FORK BOMB?

Fork bombs hang the system by creating a ‘N’ number of processes. The worst part is that one does not even need to be the super user to launch a fork bomb. To shield your system from Fork bomb ensure that you are limiting the number of processes to the local users where they could create, you can limit around 1000 to 4000 process for the local users to create. Generally a user could work about 200-300 process at same time. However for people who do a lot of multitasking, 1000 might be little less.

Understanding /etc/security/limits.conf file!

Each line describes a limit for a user in the form:
<domain> <type> <item> <value>
Where:

  • <domain> can be:
    • an user name
    • a group name, with @group syntax
    • the wildcard *, for default entry
    • the wildcard %, can be also used with %group syntax, for maxlogin limit
  • <type> can have the two values:
    • “soft” for enforcing the soft limits
    • “hard” for enforcing hard limits
  • <item> can be one of the following:
    • core – limits the core file size (KB)
  • <value> can be one of the following:
    • core – limits the core file size (KB)
    • data – max data size (KB)
    • fsize – maximum filesize (KB)
    • memlock – max locked-in-memory address space (KB)
    • nofile – max number of open files
    • rss – max resident set size (KB)
    • stack – max stack size (KB)
    • cpu – max CPU time (MIN)
    • nproc – max number of processes
    • as – address space limit
    • maxlogins – max number of logins for this user
    • maxsyslogins – max number of logins on the system
    • priority – the priority to run user process with
    • locks – max number of file locks the user can hold
    • sigpending – max number of pending signals
    • msgqueue – max memory used by POSIX message queues (bytes)
    • nice – max nice priority allowed to raise to
    • rtprio – max realtime priority
    • chroot – change root to directory (Debian-specific)

To limit the number of processes according to the users, you can open the file /etc/security/limits.conf and add the following line at the bottom:

<em>mohammad hard nproc 4000</em>

This will keep the the specified user account to restrict more than 4000 processes. Save the file and reboot the system and try with launching the Fork bomb. System should prevent the crash and withstand the attack now!

If a Fork bomb has already been launched and the restrictions for number of processes are active, you can login as root and kill all the bash processes to terminate the fork bomb. In case if a Fork bomb script is activated by a local user and you haven’t restrict the number of processes to that particular user, but still your CPU left with little time to clear the Fork bomb.

You should not use the following command to kill the script.

$killall -9 Script_Name

This will not work due the nature of a fork bomb. The reason is the killall does not hold a lock on the process table so each one that is killed a new one takes its place in the process table. Also you will not be able to run a killall due to the shell forking off another shell to run the killall.

Instead you can run these command to stop Fork bomb,

$ exec killall -9 ScritName

$ exec killall STOP ScriptName

NOTE :

This Restrictions will have no effect on the root user or any process with the CAP_SYS_ADMIN or CAP_SYS_RESOURCE capabilities are not affected by this kind of limitation on a Linux based system.

Hope you enjoyed the article , make me happy with your comments if you have any questions 🙂