Tuesday, March 07, 2006

Fork Bombs: Bringing Linux to its Knees

I think only one Linux person reads this, but anyway, I was just reminded of the existence of fork bombs. This is basically a program that calls itself multiple times. Each child then does the same thing, and soon you have more processes running than the system can handle. In the bash shell, which is used on most Linux systems, there's a simple fork bomb that consists of all punctuation.

Warning: Don't play with this unless you're prepared to hit the reset button on your system. Or, you can simply run the following command for protection:

  ulimit -u 100

Remember, you have to re-run ulimit in each shell or window.

Here's the basic bash fork bomb:

  :(){ :|:&};:

What it does is define a function called :, and then, it calls that function.
On the inside, the function runs itself twice by piping the (nonexistent) output to itself. It could just as easily be called forkbomb and used two background processes to make the results more obvious:
  forkbomb () { forkbomb & forkbomb & } ; forkbomb

In general, if your system gets used by someone other than yourself, you should protect it from fork bombs by setting a hard ulimit for all users. If you are using pam (check for /lib/libpam*), add the following line to /etc/security/limits.conf:

*                hard    nproc           100

Then log out and log back in again.


Anonymous said...

I remember doing a couple of those using C when I was a CS undergrad. Modern distros I think have some sort of protection against infinite forks, but I am not too sure. When we tried it on the school server nothing happened :(

Jeff S. said...

You would think that, but the only protection is the ulimit -u thing (in a system profile or enforced by PAM). My computer stopped when I did it. Not even mouse movement or caps lock blinking.

Anonymous said...

Per our phone conversation:

x ^= y ^= x ^= y;

Jeff S. said...

Freaky. That swaps x and y without using temporary storage for one of them.