Protection against fork bomb attack

A fork bomb attack is a type of “denial of service” and is to start a large number of processes that lead to saturation of the table of processes, CPU and memory.

This attack can slow your system or even reach the inability to use and requires a reboot.
Attack name comes from Linux system call “fork” a process which resulted in giving birth to a child process.

Let’s analyze a simple example in bash fork bomb:

bomb() { bomb | bomb &}; bomb

I created a new feature called: bomb, which call itself and redirect their output to another copy of it. The two copies also often run the background so that if the parent is killed not complete its execution and child.

If we run this example on an unprotected server, it most likely would block. To start a fork bomb on a system you do not really need administrative rights, a simple user account was not properly limited enough.
To check the limitations of the current user type the command:

ulimit -a

In our case we are interested in the field: “Max User Processes”. If this field is unlimited, the system is vulnerable.
To protect the system type fork bomb attack can to limit all users outside of the privileged: root. We do this by editing the “/ etc / bash.bashrc” (we need administrative rights) and add the following rules:

if [ `/usr/bin/id -u` -ne 0]; then
ulimit -u 2000 &> /dev/null
ulimit -u unlimited

Now the system is not vulnerable because when the user reaches the limit of processes (2000 in this case) will not be creating new processes.

No comments yet.

Leave a Comment