Q. Can you explain following bash code or bash fork() bomb?
:(){ :|:& };:
A. This is a bash function. It gets called recursively (recursive function). This is most horrible code for any Unix / Linux box. It is often used by sys admin to test user processes limitations (Linux process limits can be configured via /etc/security/limits.conf and PAM).
Once a successful fork bomb has been activated in a system it may not be possible to resume normal operation without rebooting, as the only solution to a fork bomb is to destroy all instances of it.
WARNING! These examples may crash your computer if executed.Understanding :(){ :|:& };: fork() bomb code
:() - It is a function name. It accepts no arguments at all. Generally, bash function is defined as follows:
foo(){
arg1=$1
echo ''
#do_something on $arg argument
}
fork() bomb is defined as follows:
:(){ :|:& };:
:|: - Next it call itself using programming technique called recursion and pipes the output to another call of the function ':'. The worst part is function get called two times to bomb your system.
& - Puts the function call in the background so child cannot die at all and start eating system resources.
; - Terminate the function definition
: - Call (run) the function aka set the fork() bomb.
Here is more human readable code:
bomb() {
bomb | bomb &
}; bomb
Properly configured Linux / UNIX box should not go down when fork() bomb sets off.
Related: How to: Prevent a fork bomb by limiting user process under Linux.
Update: Check out comment # 5 for more fork bomb examples under Perl, Windows XP and C.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- My 10 UNIX Command Line Mistakes
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email FAQ to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: 02/4/08



{ 18 comments… read them below or add one }
i tested this on a fresh install of CentOS and it totaly crashed :P
How about a nice “howto” for protecting against this attacks?
I second the vote for a nice howto.
Cheers
Thirded!
How to prevent a “fork bomb”.
Yes How to must be started, for the benefits of the innocent users, as the viruses are spread by entities whose brains are configured differently.
Perl exmaple:
Python example:
import os while(1): os.fork()Windows XP / Vista bat file example:
UNIX style for Windows:
C program example:
#include int main() { while(1) fork(); }Plz note that the fork bomb is a form of denial of service, so don’t run on production or unauthorized system.
An other one is that when you have set a quota for your mailboxes and crontab is generating mail over and over eventually the quota will exceed, after a while the mailq will fill up with 1000’s of mail and the system will crash.
Hi,
i run it on my testing server and it start consuming my server process.
so one thing is clear from this form bomb that it starting issuing new processes rather than threads.
how we prevent our sites from such fork attacks
Thanks in advance
kunal,
Read http://www.cyberciti.biz/tips/linux-limiting-user-process.html
I tried this on a virtual instance of SLAX, and it totally killed it.
perl inline…
perl -e “fork while fork” &
Sleek code :)
I tried on FC4. Took only 1 minute as root.
In WinXP, I waited till 7 minutes. Displayed some errors and all, but was responding. Tried MS Word, Task Manager, nothing could be executed. The machine was useless untill reset.
This works very quickly on all windows:
:bomb
%0 | %0
goto bomb
This works faster on all windows:
:bomb
start %0
%0|%0
goto bomb
A fork bomb process which can no longer fork exits. The following short Z Shell code will typically get rid of the above fork bomb in about a minute:
while (sleep 100 &!) do; done
It keeps trying and will eventually start a new do-nothing process; Each new do-nothing process reduces the number of rampant “fork bomb” processes by one, until eventually all of them are eradicated, at which point the do-nothing processes can exit.
Use ulimit -u 30 (where 30 it is a max number of process ) to protect yourself from this attack(or config your limits.conf)
That would make a VERY geeky tattoo.
:(){ :|:& };:
This did 100% of nothing on my AuroraUX^[1] machine.
Load went up for about min to min and a half, then the kernel killed the process for me.
Silly Linux..
[1] – http://www.auroraux.org/
How would i send a forkbomb/ebomb to an ip without requiring passwords like the ones controled by keys when u stimotaunisusley press keys it opens up stuff on the targets ip.