Understanding Bash fork() Bomb ~ :(){ :|:& };:

by on November 26, 2007 · 31 comments· LAST UPDATED September 2, 2012

in , ,

Can you explain the following bash code or bash fork() bomb?
:(){ :|:& };:

The fork bomb is a form of denial-of-service (DoS) attack against a Linux based system. It makes use of the fork operation.

:(){ :|:& };: is nothing but a bash function. This function get executed recursively. It is often used by sys admin to test user process limitations. Linux process limits can be configured via /etc/security/limits.conf and PAM.

Once a successful fork bomb has been activated in a system it may not be possible to resume normal operation without rebooting the system as the only solution to a fork bomb is to destroy all instances of it.

WARNING! These examples may crash your computer if executed.

Understanding :(){ :|:& };: fork() bomb code

:() - Defined the function called :. This function accepts no arguments. The syntax for bash function is as follows:

foo(){
 arg1=$1
 arg2=$2
 echo 'Bar..'
 #do_something on $arg argument
}

fork() bomb is defined as follows:

:(){
 :|:&
};:

:|: - Next it will call itself using programming technique called recursion and pipes the output to another call of the function ':'. The worst part is function get called two times to bomb your system.

& - Puts the function call in the background so child cannot die at all and start eating system resources.

; - Terminate the function definition

: - Call (run) the function aka set the fork() bomb.

Here is more human readable code:

bomb() {
 bomb | bomb &
}; bomb

Properly configured Linux / UNIX box should not go down when fork() bomb sets off.

Related: How to: Prevent a fork bomb by limiting user process under Linux.

Update: Check out comment # 5 for more fork bomb examples under Perl, Windows XP and C.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 31 comments… read them below or add one }

1 mastrboy November 26, 2007 at 9:53 am

i tested this on a fresh install of CentOS and it totaly crashed :P

How about a nice “howto” for protecting against this attacks?

Reply

2 raj November 27, 2007 at 12:01 am

I second the vote for a nice howto.

Cheers

Reply

3 queue November 27, 2007 at 5:02 pm

Thirded!

How to prevent a “fork bomb”.

Reply

4 Bharat November 28, 2007 at 1:19 am

Yes How to must be started, for the benefits of the innocent users, as the viruses are spread by entities whose brains are configured differently.

Reply

5 l33t November 28, 2007 at 9:09 am

Perl exmaple:

perl -e "fork while fork" &

Python example:

import os
  while(1):
      os.fork()

Windows XP / Vista bat file example:

:bomb
start %0
goto bomb

UNIX style for Windows:

%0|%0

C program example:

#include
 int main() {   while(1)      fork();  } 

Plz note that the fork bomb is a form of denial of service, so don’t run on production or unauthorized system.

Reply

6 Ofloo November 28, 2007 at 11:42 am

An other one is that when you have set a quota for your mailboxes and crontab is generating mail over and over eventually the quota will exceed, after a while the mailq will fill up with 1000’s of mail and the system will crash.

Reply

7 kunal November 28, 2007 at 11:52 am

Hi,

i run it on my testing server and it start consuming my server process.
so one thing is clear from this form bomb that it starting issuing new processes rather than threads.

how we prevent our sites from such fork attacks

Thanks in advance

Reply

8 Toni Kingo January 5, 2013 at 6:39 pm

Yes. And when I don’t tie my shoe laces, I can fall…

And, and, … And, … when I eat too much, I get stomach ache

Reply

9 nixCraft November 28, 2007 at 12:56 pm
10 Bash November 28, 2007 at 2:27 pm

I tried this on a virtual instance of SLAX, and it totally killed it.

Reply

11 bort December 5, 2007 at 4:21 pm

perl inline…

perl -e “fork while fork” &

Reply

12 ATOzTOA January 30, 2008 at 4:15 am

Sleek code :)

I tried on FC4. Took only 1 minute as root.

In WinXP, I waited till 7 minutes. Displayed some errors and all, but was responding. Tried MS Word, Task Manager, nothing could be executed. The machine was useless untill reset.

Reply

13 bradley March 31, 2008 at 6:06 pm

This works very quickly on all windows:

:bomb
%0 | %0
goto bomb

Reply

14 Joe November 13, 2008 at 11:04 pm

This works faster on all windows:

:bomb
start %0
%0|%0
goto bomb

Reply

15 sharfah November 22, 2008 at 2:42 pm

A fork bomb process which can no longer fork exits. The following short Z Shell code will typically get rid of the above fork bomb in about a minute:

while (sleep 100 &!) do; done

It keeps trying and will eventually start a new do-nothing process; Each new do-nothing process reduces the number of rampant “fork bomb” processes by one, until eventually all of them are eradicated, at which point the do-nothing processes can exit.

Reply

16 stealth August 29, 2009 at 9:00 pm

Use ulimit -u 30 (where 30 it is a max number of process ) to protect yourself from this attack(or config your limits.conf)

Reply

17 Peter September 28, 2009 at 3:55 pm

That would make a VERY geeky tattoo.

:(){ :|:& };:

Reply

18 Edward October 17, 2009 at 1:20 pm

This did 100% of nothing on my AuroraUX^[1] machine.
Load went up for about min to min and a half, then the kernel killed the process for me.
Silly Linux..
[1] – http://www.auroraux.org/

Reply

19 PyrexKidd June 17, 2010 at 6:15 pm

On my Ubuntu 10.04 LTS the fork bomb launched about 2500 processes and then my kernel killed it. Total time ~< 5 min.

Reply

20 Marc November 20, 2009 at 6:33 pm

How would i send a forkbomb/ebomb to an ip without requiring passwords like the ones controled by keys when u stimotaunisusley press keys it opens up stuff on the targets ip.

Reply

21 Victor Chaves August 12, 2010 at 7:31 pm

Debian 5 is immune to this fork bomb.

Reply

22 newklear November 17, 2010 at 8:25 pm

PCLinuxOS is immune

Reply

23 Änönymöüs January 11, 2011 at 4:26 pm

WARNING! These examples may crash your computer if executed.

may?
They WILL crash your comp.
Win7 – batch WILL kill (also input lag)

Reply

24 Ellisgeek March 4, 2011 at 1:22 am

try this on for (lack) of size:

#/bin/bash
$0&
$0

Very tiny fork bomb :D

Reply

25 modchan October 7, 2011 at 10:47 am

Tried on Mac OS X 10.7.1 from root, bomb was killed in 0.003 s.

Reply

26 Tryme December 1, 2011 at 3:52 pm
:(){ : | : & }; : 
  • :() is a function name with the open and close parenthesis representing no parameters. The body of this function is within the braces {}.
  • : | : is a recursive call since : is the name of the function. The function gets called twice and is piping input from one call to the other.
  • & backgrounds the previous function call so that it will not die.
  • ; finishes the function declaration.
  • : Calls the function just defined.

Reply

27 StarDust January 6, 2012 at 11:52 am

I did the %0|%0 command in Windows XP. Type into Notepad and saved as FORKBOMB.BAT then double-clicked. Fortunately, I already had task manager running, so I right-clicked explorer and hit “end process tree” which left me with a blank desktop. I then used Alt+Ctrl+Del to reopen Task Manager and from there, typed explorer.exe in the RUN dialog to get Windows back up without rebooting.

If you add an additional command, for example:

PING [insert url of hated website]

you can spam out DOS attacks as well while you watch your computer crash. Seriously people, don’t do that…

Reply

28 Stephen Wood July 24, 2012 at 11:15 pm

It’s almost a right-of-passage to get tricked into running this command when you get your first system. Part of unwinding why your system just crashed actually teaches you quite a bit about unix pipes.

For that reason I’m partly sad that in at least Ubuntu 12.04, the default ulimit setting prevents the bomb from taking down the system.

Reply

29 mark February 25, 2014 at 10:36 pm

There is a minimal “cure” for this.

Classic REISUB Linux magic key combo always works for rebooting computer, however, using Alt+SysRq+K will stop all processes on current tty. In the case it doesn’t work, probably you’re on X server and need to use Alt+SysRq+RK.

Reply

30 sugatang itlog July 22, 2014 at 3:18 pm

Ahihi! CoreOS is immune. Though the system was unresponsive for 2 minutes.

Reply

31 sugatang itlog July 22, 2014 at 3:33 pm

Ooops! Totally crashed. fork: Cannot allocate memory. Then Call Trace. Then, not responding to anything, just call trace. Awesome! Is this second to vmsplice?

More power nixCraft!

Reply

Leave a Comment

Tagged as: , ,

Previous Faq:

Next Faq: