What is a Fork Bomb in Linux and how to stop it?
Bobby Iliev ・ Jun 9th, 2021 Views

What is a Fork Bomb in Linux and how to stop it?

Introduction

A fork bomb (also known as a rabbit virus) is a denial-of-service attack that consists of a process that constantly replicates itself to exhaust all available system resources, slowing down or crashing the system due to resource starvation.

What is a Fork Bomb in Linux and how to stop it?

Here's an example of the most popular fork bomb in Linux:

:(){ :|:& };:

NOTE: do not run this on your system as it would crash the system!

Rundown of all elements

Here's a quick rundown of all elements:

  • :() - Define the function. The : is the function name and the opening and closing parenthesis means that the function does not accept any arguments

  • { } - These characters show the beginning and end of the function

  • :|: - Here it loads a copy of the function : into memory and pipe its own output to another copy of the : function, which has to be loaded into memory as well

  • & - This starts the process as a background process

    Checkout our latest product - the ultimate tailwindcss page creator 🚀
  • : - The final : executes the function and hence the chain reaction begins

Stopping a fork bomb

If you have a multi-user system, the best way to protect it against such attacks is to limit the number of processes a user can have by using PAM for example.

If you are already logged into the system you could do the following to stop the fork bomb:

  • Run a SIGSTOP command to stop the processes of the user who ran the fork bomb:
killall -STOP -u someuser

Conclusion

For more information about the history of the fork bomb and other examples I would recommend checking this Wikipedia page.

Comments (1)