Fork Bomb!

Try and execute the following script in your bash terminal:

:(){ :|:& };:

Hold up!


If you execute the above statement on your terminal it will result in fork bombing your system resulting into a total shutdown of your system. If you executed the above script, there is nothing to worry about. It’s no hack. Though above script is commonly used in Denial-Of-Service attack.

So what just happened?

The above script executed a function over and over until all your system resources were exhausted leaving no memory (one of the critical requirement for any process to work, including your operating system.

How does a few characters exhaust all the system memory?

I will explain how the above script works in a moment which when executed result into a total shutdown within minutes. But to understand the concepts, you need to be familiar of the programming concepts of recursion and process forking (yup, that’s what the fork is in fork bomb).

Recursion: In programming, when a function calls itself when executed, this technique is know as recursion and a very useful concept when dealing with abstraction of logic. Our computer keeps track of all functions called with themselves on stack, in memory. Read the answer on stackoverflow to know more on how recursion works.

Recursion

Forking: Operating system is a software that manages system resources and provide them to each process on your system. A process fork is a duplicate of another existing process on the system, called the parent process and the forked process is known as the child process. Each child process has the same attributes and memory requirements as the parent process unless otherwise specified.

Forking

The above script may seem crytpic to you if you are new to bash, but the above fork bomb script in bash is equivalent to the following script. It defines a function “func” which calls itself twice as defined by piping. Piping the same function to itself doesn’t add any more meaning, but it speeds up the process forking by creating 2 child process per parent process. ‘&’ directs each parent function to execute in background. Line 3 concludes the function definition and Line 4 invokes the first function call, which in return calls to child process over and over until you regret executing the above script.

General form of the above fork bomb in bash

1.	func() {
2.		func() | func() &
3. 	};
4.	func()

The concept behind fork bombing is really simple. To create as many process untill all the system memory is exhausted and system shuts down. Simple yet effective. It can be implemented in any language or system as long as we can use system call fork() to create process exhaustively and can be very frustrating to deal with on production servers if the attacker can access the shell. Fork bombs can be written in many ways, such as the one below can be written in python.

In python, fork bomb can be written as the following. It doesn’t use the concept of recursion or piping but uses python built-in library os to call os.fork() function that creates child process infinite times. We can also use the same concept to create fork bombs in bash as well, calling fork() system call in an infinite loop.

Fork bomb in Python:

import os
while True:
    os.fork()

How can we prevent fork bomb from happening?

First and foremost, Never trust online scripts and don’t execute them before inspecting them.

Secondly, we can always limit the number of process your system should execute at once using ulimit. Don’t set the number of process too low or you won’t be able to work smoothly as before. Though it just limits the count of processes to run simultaneously, not the memory it handles. So if a process using a lot of ram is used to fork bomb, be sure to limit the ram usage as well, though it could hamper the system performance for critical processes as well.

ulimit -S -u 5000 # set the maximum process limit to 5000

References:

Tweet about it

comments powered by Disqus