1. Overview

In this tutorial, we’re going to understand how a Bash fork bomb works and how we prevent it.

2. How It Works

A Bash fork bomb is a sequence of Bash commands running a neverending recursive function, resulting in an out of control consumption of system resources eventually making the system become unresponsive or even crash.

The most common way to create a fork bomb is to define a function that creates a child process of the same function in the background:

# Warning: don't run this command on your computer unless you want it to crash.
$ :(){ :|: & };:

This is the definition of a function named “:” that will execute itself, returning the result with a pipe to another instance of itself executed in the background. The function is then called the first time with the :  at the end of the line.

We can also write this Bash fork bomb in a more human-readable way:

forkbomb() { 
    forkbomb | forkbomb & 

We can see that this function is calling itself twice every time and it has no way to terminate itself. This will eventually result in a system crash.

3. Mitigation Techniques

Fork bombs are not unique to Bash, many other languages can implement them.

There are mainly two reasons a fork bomb can happen:

  • A software bug which at some point creates too many processes, crashing the computer
  • A malicious hacker attack, where the hacker finds a way to run their code on the victim’s system and implements a fork bomb in order to perform a denial of service on that computer

We can prevent a Bash fork bomb from crashing our system by limiting how many processes our user can run.

We can achieve this by editing the /etc/security/limits.conf file with root permissions and set the maximum number of processes for the user:

user_name hard nproc number_of_processes

Now the question would be, what’s a good number of processes to set as a limit?

A simple way to know a good number is to open as many programs as we would normally use simultaneously and then count them in the terminal:

$ ps aux -L | cut --delimiter=" " --fields=1 | sort | uniq --count | sort --numeric-sort | tail --lines=1

We should then take that number and multiply by 2 to be conservative. We do that because if we set a number too low, we might run into some issues during our day to day use.

After that, we can finish editing the /etc/security/limits.conf file and finally reboot the system to apply the new configuration.

4. Helpful Use Cases

As it turns out, fork bombs actually have their uses outside of attackers.

For example, system administrators often use Bash fork bombs in order to test if they have configured a server correctly or to perform stress tests on their systems.

The Bash fork bomb can also be used to test if a watchdog will properly reboot a Linux Embedded Board when the system freezes.

5. Conclusion

In this article, we described what a Bash fork bomb is, its implications, and how to prevent it from crashing our systems. We also took a look at how to use the fork bomb for testing purposes.

Notify of
Inline Feedbacks
View all comments