Linux Fork Bomb Explained

One famous way to crash your Linux system is to run a “fork bomb” in the terminal. A variant of it looks like this:

WARNING: Malicious code. Don’t run it!

1	:(){:\|:&};:

This code looks strange, but it’s actually a conventional code in Bash. To make it a little more obvious, let’s replace the : (colon) with the word bomb. So, our code now looks like this:

1	bomb(){bomb\|bomb&}; bomb

Arranging the code a little more will leave us with this:

1
2
3
4

bomb() {
bomb|bomb &
};
bomb

Namely, the above code defines a bash function called bomb (colon in the original code), which calls itself recursively twice through a pipe, and sends the recursion call to the background. After the function is defined, all you need is to call it.
Now we just have a process which splits itself (a.k.a fork) forever, creating a huge number of processes which will utilize every single cycle of your CPU, causing the system to get stuck/reboot/crash.

Why to send the job to the background?

The answer is simple: If we run the recursive call in the foreground, the calling function will not complete until the call returns.
Since there is no stop condition for this recursion, the calling function would wait forever, which will allow killing it and all its children with [ctrl]+[C].
On the other hand, when running the recursive call in the background, the calling function will complete immediately, and it won’t be that easy to kill its child processes.
(It’s almost impossible to kill them even with the kill or killall commands, because the number of processes will grow exponentially and will utilize the whole CPU in a very short time, leaving you with the only option: To reboot).

Another question: Why calling twice?

In a “C-style” fork, after a process forks, it will continue to be alive, i.e., after a fork, we’ll have two processes: The parent, and the child.
But here in Bash, it’s not the same: Because we did the recursive call in the background, the calling process will “die” as soon as it makes the recursive call, so, if we call the function only once in the recursion, we’ll have always one process which will replace its parent, and this is not what we’re trying to achieve.

A C code with similar functionality to the above one is the following:

1
2
3
4
5
6
7
8

#include <unistd.h>
int
main()
{
while(1)
fork();
return 0;
}

One way to protect your system from such fork bombs, is to limit the number of user processes in the system. An explanation of how to do this along with an explanation about the above fork bomb can be found here.

Another explanation about fork bombs, with examples in different languages can be found here.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Infinite zip File

Tags: Bash, Linux, Security

Saturday, March 28th, 2009 Bash

1 Comment to Linux Fork Bomb Explained

H.Samir says:

July 13, 2010 at 2:33 pm

Does that mean the system will completely crashed ?? in another language does that mean that i will need to reinstall or restore from a previous backup ???

is there any logs produced from this process ???

RSS

RSS (comments)

Check my other blogs at:
http://www.off2pic.com
http://www.synsynackack.com

Hi,
My name is Amir Watad. I have a BSc. in biomedical engineering from The Biomedical Engineering school , Technion , Israel, and a BSc. in electrical engineering from The Electrical Engineering school , Technion , Israel.
I'm a Verification Engineer in Mellanox Technologies Ltd.
I love Linux, the Command Line and the OpenSource Community.
I used to write Poems (Arabic) when I was able to find time for this.

S	M	T	W	T	F	S
« Feb				May »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

AmirWatad.com

Remember the name ;)

Linux Fork Bomb Explained

1 Comment to Linux Fork Bomb Explained

Leave a Reply

Meta

About Me

Categories

Popular Posts

Calendar

Archives