Protecting Linux from Fork Bombs

Written by Mark Sanborn: Apr 3, 2008

Fork bombs are basically a never ending loop. They open a processes that opens other processes that open even more processes exponentially. Causing any computer to lock up within a matter of seconds. Although they have to be ran from a logged in user they are still a threat. Users can unintentionally cause a complete lockup of a production server.

Here is an example of one of these fork bombs:

:(){ :|:& }; :

It looks harmless. But I have to warn you. It will lock up your system in a matter of seconds. If you want to try it out on your own desktop for fun go ahead. I think it will work on a Mac too. Mac has built in protection for this sort of attack.

How do we protect against it?

For Linux edit /etc/security/limits.conf and add these two lines.

@users soft nproc 100 @users hard nproc 150

These lines will prevent anyone in the ‘users’ group from running more than 150 processes. It will also warn the user after they reach 100 processes.

Note: This effects the group users. If your users are under a different group you will need to change this.

If you are not sure if your user in the ‘users’ group. You can issue the command:

$ group

If the user is not in the users group you will need to use the following command:

# usermod -a -G users mark

After adding the user to the group you may need to relogin to make sure you are now effected by groups.

Now when you issue the command it should die with:

-bash: fork: Resource temporarily unavailable

You are now successfully protected against fork bombs.

Need to print shipping labels on your site?

Checkout my product RocketShipIt for simple easy-to-use developer tools for UPS™ FedEx™ USPS™ and more.

Share: