- HowTo: Create a Linux Fork Bomb
- Understanding the Fork Bomb :()< :|:& >;: in Linux
- What is a fork bomb?
- :()< :|:& >;: – How does it work?
- Why does fork bomb not work in Ubuntu and some other distros?
- How to Prevent fork bomb?
- Conclusion
- Linux Fork Bomb
- How to crash a Linux system with a fork bomb
- How to prevent a Linux crash due to fork bomb
- Closing Thoughts
- Related Linux Tutorials:
HowTo: Create a Linux Fork Bomb
Fork bomb is a form of denial-of-service attack against a computer system which makes use of the fork operation (or equivalent functionality), whereby a running process can create another running process.
Fork bombs typically do not spread as worms or viruses, but it works by creating a large number of processes very quickly in order to saturate the available space in the list of processes kept by the operating system.
If the process table becomes saturated, no new programs can start.
Once this code is executed, within seconds your system will freeze and then you have to hard boot the system.
A bash shell fork bomb may look like this:
The above can be explained as:
Function | Description |
---|---|
🙁 ) | define a function ‘:’ — so whenever we say ‘:’, execute this function |
beginning of what to do when we say ‘:’ | |
: | load another copy of the ‘:’ function into memory… |
| | …and pipe its output to… |
: | …another copy of ‘:’ function, which has to be loaded into memory (therefore, ‘:|:’ simply gets two copies of ‘:’ loaded whenever ‘:’ is called) |
& | disown the functions — if the first ‘:’ is killed, all of the functions that it has started should NOT be auto-killed |
> | end of what to do when we say ‘:’ |
; | Having defined ‘:’, we should now… |
: | …call ‘:’, initiating a chain-reaction: each ‘:’ will start two more |
A more simple form, can be written as:
Understanding the Fork Bomb :()< :|:& >;: in Linux
Nuking my system by installing Arch Linux was not enough, so I used a Fork Bomb.
You might have already seen a cute looking but dangerous Linux command which is made of just special characters:
This is called bash fork bomb and it is enough to bring down your system by consuming all the system resources. It goes away after a system reboot, though.
In this article, I’ll discuss:
- What is a fork bomb in general
- How does the :()< :|:& >;: turn into a fork bomb
- Why the fork bomb is likely not to do any damage (yes, your distro might be bombproof)
- Quick tip on preventing fork bombs
What is a fork bomb?
You can think of a fork bomb as a DoS (denial of service) attack, as it replicates existing processes till your system utilizes 100% of system resources and makes it completely unusable.
Unix programs are executed through a combination of two system calls called fork and exec. One process spawns another either by replacing itself when it’s done — an exec — or, if it needs to stay around, by making a copy of itself — a fork.
The fork bomb is basically the process of creating forks after forks infinitely until your system doesn’t have anymore resources left.
Of course, you can recover your system by rebooting, but the process is quite interesting!
:()< :|:& >;: is an example of such a fork bomb. It is popular because it’s made of just a few special characters, not long, complicated scripts.
Now, let me explain how this famous fork bomb works in Linux.
:()< :|:& >;: – How does it work?
Well, this is what the famous fork bomb does to your system. And if you’re curious to know those 11 spooky characters, here you go:
As of now, you might have no idea how it works. Well, Let me break it down for you:
- :() defines the function named as : and will accept no arguments.
- <> is where the function starts and ends. In simple terms, it includes commands that will crash your machine eventually.
- :|: is where the recursion starts (function calling itself). To be more precise, It loads a : function in memory, pipe ( | ) its own output to another copy of the : function which is also loaded into system memory as well.
- & will execute the whole function in the background so that no child process is killed.
- ; separates each child function from the chain of multiple executions.
- And : runs recently created function, hence the chain reaction begins!
After going through the basics, I’m sure you want to surprise your friend with this attack. But I’d advise you to keep this attack to your virtual machine.
Oh! here’s a screenshot of the task manager when I ran the fork bomb in my testing.
Why does fork bomb not work in Ubuntu and some other distros?
Well, this is not limited to Ubuntu, but each distro that ships with systemd.
Systemd creates cgroup for each user which also defines the maximum processes. By default, it only allows users to have 33% of the whole.
Tinkering with systemd config is not suitable for everyday desktop users so if you’re interested I’d highly recommend you to check this answer on tweaking systemd config.
How to Prevent fork bomb?
As everything is related to processes, you just have to limit them. And the maximum processes that can run through a signed-in user can be checked through a given command:
Mine is around 15k and any Linux user would have at least around 10k, which is much more than enough. So what you have to do is limit those background processes to around 5k, which should be plenty for most users.
But this would only be effective for specific users. You can also apply this to the group by editing the /etc/security/limits.conf file. This is known to be a more effective way too!
sudo nano /etc/security/limits.conf
For example, I want to apply this to all users who are in wheel group, so I’d be adding the following lines at the end of the config file:
Whereas for any specific user (sagar in my case) it would be this:
Conclusion
This fork bomb was created by open source software developer Jaromil. He thinks it is a work of art.
I kind of agree with Jaromil. It is indeed a work of art. Just 11 special characters and you get yourself a nasty program that has the capability to bring down a system.
I guess you have a better understanding of the fork bomb now. Let me know if you have questions or suggestions.
Linux Fork Bomb
A Linux fork bomb is one of the oldest and most succinct ways to crash a Linux system. It is a type of denial of service attack that works by spawning more and more processes, until eventually all the resources on the system are tied up and it crashes.
In this tutorial, you will see how to crash a Linux system using a fork bomb. We will also go over some steps that you can take to prevent things like fork bombs and an inordinate number of processes from being spawned and crashing your system.
In this tutorial you will learn:
- How to crash a Linux system with a fork bomb
- How to prevent a Linux crash due to fork bomb
Category | Requirements, Conventions or Software Version Used |
---|---|
System | Any Linux system |
Software | N/A |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions | # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command $ – requires given linux commands to be executed as a regular non-privileged user |
How to crash a Linux system with a fork bomb
WARNING
Be sure to only test this code on a test machine or virtual machine. Using it on another system, even for testing purposes, will make you look like an attacker that is trying to crash the system. And, in some cases, you might succeed.
The following line of code is a short and sweet fork bomb:
At first glance, this may look like gibberish and pretty harmless to execute, but let’s take a look at what is really going on here:
- : is the name of the function
- :|: calls the function itself and spawns another process
- & puts the process into the background, so that it cannot be killed as easily
- ; marks the end of the function
- : calls the function again
Keep in mind that other types of fork bombs exist. For example, you can program them in Perl, Python, and other languages. The one we have shown here is the most commonly used and will work in the Bash shell.
Here is the same function call in a more human readable format:
As you can see, the function is calling itself twice in the body. This will start to consume all resources on your system and eventually force your Linux system to crash.
Your results may vary, depending on the configuration of the Linux system, what distro you are using, etc. On our Ubuntu test system, executing the fork bomb locked up the system, and eventually started flooding the terminal with these messages:
bash: fork: retry: Resource temporarily unavailable.
Even after closing the terminal, the system was too sluggish and unresponsive to do anything, and we were forced to reboot. When the system came back up, we got the following error message:
NOTE
Some Linux distros are programmed to inherently prevent fork bombs. On those systems, the kernel will kill all the spawned processes to try and prevent your system from crashing.
How to prevent a Linux crash due to fork bomb
A fork bomb is effective because it is able to spawn an unlimited number of processes. Eventually, your system can’t process all of them, and will crash. Therefore, we can prevent these types of crashes by limiting the number of processes that a user or group of users is able to spawn.
The best way to impose a limit on the number of processes a user can spawn is by editing the /etc/security/limits.conf file.
- As an example, let’s try putting a limit on the number of processes that users in the “corporate” group can spawn. Adding this line to the file would only allow the users in the group to spawn a maximum of 30 processes.
linuxconfig hard nproc 40
For more examples, check out our guide on the Linux ulimit command, which shows how to enforce more types of limits inside the limits.conf file, or impose temporary limits with the ulimit command.
Closing Thoughts
In this tutorial, we saw how to crash a Linux system with a fork bomb command. We also learned how a fork bomb works, and ways to prevent users from using them to crash a system. Fork bombs are not a bug nor weakness of a Linux system. The responsibility is in the hands of a system administrator to limit the number of processes available for a user to spawn.
Related Linux Tutorials:
Comments and Discussions