Jump to content

Fork bomb: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Removed redundant code (WXP and 98 version was the same...) and added forkbomb for windows with nicer code
→‎Example fork bombs: - Sorry for double-editting :'(
Line 49: Line 49:
fork();
fork();
}
}
</source>

And in PHP (probably only for POSIX compatible systems):
<source lang="php">
while(1)
pcntl_fork();
</source>
</source>


Revision as of 20:47, 15 January 2008

Concept behind the fork bomb, the processes are recursively forked until a denial of service or a crash

The fork bomb is a form of denial of service attack against a computer system that implements the fork operation, or equivalent functionality whereby a running process can create another running process. It is considered a wabbit as fork bomb programs typically do not spread as worms or viruses. It relies on the assumption that the number of programs and processes which may be simultaneously executed on a computer has a limit.

A fork bomb works by creating a large number of processes very quickly in order to saturate the available space in the list of processes kept by the computer's operating system. If the process table becomes saturated, no new programs may be started until another terminates. Even if that happens, it is not likely that a useful program may be started since the instances of the bomb program are each waiting to take that slot themselves.

Not only do fork bombs use space in the process table, they each use processor time and memory. As a result of this, the system and existing programs slow down and become much more difficult (slow to respond), or even impossible, to use.

As well as being specifically malicious, fork bombs can occur by accident in the normal development of software. The development of an application that listens on a network socket and acts as the server in a Client-server system, may well use an infinite loop and fork operation in a similar way as presented below. A trivial bug in the source of this kind of application could cause a fork bomb when tested.

Example fork bombs

The following is arguably one of the most elegant examples of a fork bomb. It was created by Jaromil in 2002, and released as an open source piece of art. The fork bomb is executed by pasting the following 13 characters into a UNIX shell such as bash or zsh.[1] 

 :(){ :|:& };:

Forkbombs using the Microsoft Windows (any version) batch language: 

 :s
 start 0%
 goto :s

And more elegant version found by Harvie: 

%0|%0

An inline shell example using the Perl interpreter: 

 perl -e "fork while fork" &

Using Python: 

 import os
 
 while(1):
      os.fork()

Or in C: 

 #include <unistd.h>
 
 int main()
 {
   while(1)
     fork();
 }

And in PHP (probably only for POSIX compatible systems): 

   while(1)
       pcntl_fork();

Variants

A common variant on the typical fork bomb is to allocate heap memory anonymously, causing a memory leak by design. This can quickly bring an operating system into swap making it harder for a user or sysadmin to prevent an attack, as the OS becomes less responsive due to the overheads of paging. This is most easily done using a language that does not have managed data types, such as C, in which system calls and libraries are easily accessible: 

 #include <stdlib.h>
#include <unistd.h>
int main()
{
    /* An infinite loop. */
    while(1)
    {
       /* Try to allocate 1MB of memory. */
       malloc(1048576);
       /* Fork the process so that we have exponential growth in memory. */
       fork();
    }
}

This version of Fork Bomb is ineffective, shown only as an example of the logic behind the scenes.[citation needed]

By allocating memory on the heap the fork bomb process has a much larger memory footprint than it would have otherwise had. It now takes fewer iterations of forking to consume physical system memory. On modern computer systems a simpler fork bomb might reach the operating systems process limit before using up system memory and going into swap.

Difficulty of cure

Once a successful fork bomb has been activated in a system it may not be possible to resume normal operation without rebooting, as the only solution to a fork bomb is to destroy all instances of it. Trying to use a program to kill the rogue processes normally requires another process be created, which may not be possible if there are no empty slots in the process table, or space in memory structures.

However, in practice, some of these fork bombs can be cured relatively easily. Consider the shell fork bomb shown above: 

 :(){ :|:& };:

One important "feature" in this code is that a fork bomb process which can no longer fork, doesn't stick around but rather exits. If we try often enough, eventually we'll be able to run a new do-nothing process; Each new do-nothing process we run reduces the number of rampant "fork bomb" processes by one, until eventually we can eradicate all of them, when the do-nothing processes can exit. The following short Z Shell code will typically get rid of the above fork bomb in about a minute: 

 while (sleep 100 &!) do; done

Prevention

One way to prevent a fork bomb is to limit the number of processes that a single user may own. When a process tries to create another process and the owner of that process already owns more than the maximum, the creation fails. The maximum should be low enough that if all the users who might simultaneously bomb a system do, there are still enough resources left to avoid disaster. Note that an accidental fork bomb is highly unlikely to involve more than one user. There is a Linux kernel patch that enables logging of which user has started a fork bomb called grsecurity[2].

Unix-type systems typically have such a limit, controlled by a ulimit shell command[3]. With a Linux kernel, it is the RLIMIT_NPROC rlimit of a process. If a process tries to perform a fork and the user that owns that process already owns more than RLIMIT_NPROC processes, it fails. Additionally, on Linux or *BSD, you can edit the pam_limits config file: /etc/security/limits.conf[4] to the same effect. However, not all distributions of Linux have the pam_limits module installed by default.

Another solution involves the detection of fork bombs by the operating system, which is not widely practiced. However, it has been implemented in the form of a Linux kernel module called rexFBD[5].

Note that simply limiting the number of processes a process may create does not prevent a fork bomb, because each process that the fork bomb creates also creates processes. A distributive resource allocation system in which a process' resources are a share of its parents resources would work, but distributive resource systems are not in common use.

Further challenges

Even with the above precautions, fork bombs can still have disastrous effects on a system. For example, if a server has 24 CPUs and allows ordinary users to have up to 100 processes, a fork bomb can still saturate all 24 CPUs even after it can no longer multiply. This can make the system completely unresponsive, to the point where an administrator cannot log in to fix the problem.

Notes

  1. ^ digitalcraft.org article by Jaromil
  2. ^ Linux kernel module for fork bomb prevention.
  3. ^ grsecurity Linux kernel patch.
  4. ^ `man ulimit` online copy of the man page.
  5. ^ `man limits` online copy of the man page.

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Fork_bomb&oldid=184560875"