Linux Security: All about Fork Bomb
Silent, yet very efficient bomb.
Introduction
Fork Bomb isn’t like normal bombs which make a lot of noise and create fire events. This bomb is very silent, but the consequences are quite violent. How violent the results are depends on which environment your System is running in. If it is your Production, it is time for you to change your Work Status in Linkedin as Open to Work. With this intro give, let us dive into the technical discussion.
Fork Bomb — Fork Bomb is a simple DOS(Denial-of-Service) attack, this DOS attack is an internal attack — doesn’t come from outside the network, starts and ends in the same host. The nature of it is to deplete available system resources so that no other service on that system can run.
Its nature is very similar to that of a Bomb — tiny in size, but the destruction is massive. Fork Bomb is a one-liner code, but after running it, that will be your last command on that system till everything is resolved. The code is —
:(){ :|: & }; :
Wondering where is the Code in that? That is the Code. This is a simple Bash Script which does the Job for you. Whenever i see this, a quote flashes through my mind which is —
It just takes one match stick to burn a thousand trees.
That code is the Match Stick and all your System Resources are the Trees. We will understand how that small piece of code can be so dangerous after we understand how that exactly works. So let us break that code down —
:()
{
:|: &
};
::() — This is a simple function definition, ‘<function-name>()’. In this case, the function name is ‘:’. As defined, this function accepts no parameters.
{ — Begin Function Definition.
:|: — Call the function & pipe it to the same function. Simple recursion technique.
& — Send the process to background so it cannot be killed with simple Ctrl+C.
}; — Terminate Function Definition.
: — Call the Function ‘:’.
Essentially this is creating Processes which do nothing but create themselves again. Fork System Call is used to create a Process, hence the name Fork Bomb. As Process creation happens in all kinds of Systems, this attack is not specific to Linux, same can be done in Windows as well, but the implementation will be different.
How to Prevent Fork Bombs?
Well, if we look carefully at the nature of Fork Bomb, we can easily stop them. It is creating as many processes as possible until the system paralyzes. The time needed for it to make the System crash depends on your Resource Capacity. So this is the key, what if we set a limit on how many Processes a User can create? Yes, that is the solution.
Note: You need not be SuperUser/Root to create Fork Bomb. As a normal user is allowed to create a Process, he can also trigger this Bomb.
We can limit the no of processes per user using the ‘ulimit’ command.
ulimit -aS — shows all the Soft limits for the user.
ulimit -aH — shows all the Hard limits for the user.
We can use ‘ulimit -u’ to view the ‘nproc’ limit for the user. This can also be used to set the limit. By using ulimit the changes made are temporary and are temporary hard limits. If the user re-logins, the actual limits will be applied to him.
To make changes to the limits and make them permanent we can use a file in ‘/etc/security/’ called ‘limits.conf’, limits set in this file, either soft or hard are permanent.
We will explore this file and all possible options in this file in an other article. Now lets keep it simple by modifying only the ‘no of processes value — nproc’. So we need to add this command in the file —
<username> <soft/hard/-> <nproc> <value>
harsha hard nproc 5000
Even for this rule to take effect, the user needs to relogin or the system needs to get restarted.
Note: Do not try this attack on Production Systems, or any other systems where other Users are working. Try this in a contained environment such as VM/Container.
Conclusion
In most of the Systems you will see the Limits are already set for many fields, but it is very much necessary for us to understand how these limits work because a User with necessary privileges can change their Limits and try launching these kind of attacks.
It is really important to understand how these kind of attacks work because of their nature, they are internal —these type are least expected but very dangerous. This is just an example of why Internal Security is equally important as external Security. There are many more attacks like this.
There is much more to ‘limits.conf’ file. Please go through this article to understand all other options in that file — https://medium.com/kernel-space/resource-limits-in-linux-limits-conf-83aa442913e9
Thank you for reading. You can connect with me on Linkedin . Happy to answer your queries.
