#securityFork bombs
9 users
--:-- * you opened a paste from novatechnocrat in #security
-!- posted 2025-03-12 · edited 2026-06-27 · #network-security

Fork bombs

Fork Bombs: Technical Writeup

Overview

A fork bomb is a denial-of-service (DoS) attack designed to overload system resources by recursively spawning processes until the system becomes unresponsive. It exploits the fork system call in Unix-like systems or equivalent mechanisms in other operating systems, creating exponential process growth that exhausts CPU, memory, or process table limits[1][4]. Unlike external resource-flooding attacks, fork bombs use internal commands to consume resources, often crashing the system until a hard reboot is performed[1][7].

How Fork Bombs Work

  • Unix/Linux Systems:
    Fork bombs use the fork() system call to duplicate processes. Each new process replicates itself, creating a chain reaction that saturates the process table and CPU[4][7].
  • Windows Systems:
    While Windows lacks a native fork() equivalent, fork bombs are implemented via batch scripts that recursively execute new instances, such as %0|%0, spawning endless processes[2][3].

Examples

Linux Fork Bomb

The classic Bash fork bomb:

:(){ :|:& };:
  • Breakdown:
    • :() defines a function named :.
    • :|:& calls the function, pipes its output to another instance, and runs it in the background.
    • ;: executes the function, triggering exponential process creation[2][7][10].

Windows Fork Bomb

A batch script example:

%0|%0
  • Breakdown:
    • %0 references the script itself.
    • The pipe (|) spawns a new process for each side of the pipe, recursively executing the script until resources are depleted[3][4].

Another Windows variant:

@echo off
:a
start %0
goto a

This opens infinite Command Prompt windows, overwhelming the system[2].

Mitigation Strategies

Linux/Unix

  1. Process Limits:
    • Edit /etc/security/limits.conf to restrict user processes: 
      * hard nproc 100
    • Use ulimit -u 100 to cap processes per session[1][8][9].
  2. Memory Restrictions:
    Limit per-process memory via ulimit -m or cgroups[1][8].
  3. Updates and Monitoring:
    Deploy intrusion detection systems (IDS) and apply security patches[1][9].

Windows

  1. User Permissions:
    Restrict non-admin users from executing batch files[1].
  2. Task Manager:
    Terminate malicious processes promptly using taskkill or PowerShell[3].
  3. Group Policy:
    Disable arbitrary script execution for untrusted users[3].

Key Characteristics

  • Trigger: Immediate upon execution.
  • Impact: System freeze, crash, or forced reboot[1][4].
  • Propagation: Exponential process replication without malware self-propagation[4][7].

Historical Context

Fork bombs date to 1969 with the “RABBITS” attack on Burroughs systems. The term “wabbit” emerged in 1978 for similar attacks on IBM System/360[4]. Modern variants leverage scripting languages like Python or Java to replicate the effect[5].

Conclusion

Fork bombs remain a potent threat to system stability, particularly in Unix-like environments. Mitigation hinges on resource limits, user permissions, and proactive monitoring. While Windows is less vulnerable to traditional fork bombs, batch-based attacks necessitate strict script controls[1][3][9]. Hard reboots are often the only recovery option, underscoring the importance of preventive measures[1][7].

Citations: [1] https://nordvpn.com/cybersecurity/glossary/fork-bomb/ [2] https://mostwanted002.gitlab.io/post/fork-bomb-windows/ [3] https://stackoverflow.com/questions/13436408/what-is-00-and-how-does-it-work [4] https://en.wikipedia.org/wiki/Fork_bomb [5] https://security.packt.com/a-helpful-guide-for-understanding-fork-bombs-rabbit-virus/ [6] https://www.youtube.com/watch?v=nB_s79lHSVs [7] https://www.supportpro.com/blog/what-is-a-fork-bomb-and-how-can-it-be-prevented/ [8] https://resources.cs.rutgers.edu/docs/preventing-fork-bomb-on-linux/ [9] https://www.okta.com/identity-101/fork-bomb/ [10] https://www.wallarm.com/what/fork-bomb

<< /join #articles
[novatechnocrat]type a message, or /help