Prevent fork bomb by limiting user process in linux

A Fork Bomb is a denial-of-service (DoS) attack against a Linux based system. It makes use of the fork operation to create infinite processes and is called as “Rabbit Virus or wabbit”. The system process continually replicates itself to deplete available system resources, causing resource starvation, slowing or crashing the system. This article gives insights on – how to prevent a fork bomb attack in Linux system.

Fork Bomb uses a bash code and gets executed repeatedly. Linux system admin often uses bash function to test the user process limitations and this specific process can be configured in /etc/security/limits.conf file. Once Fork Bomb is activated in Linux system, it may not possible to get back as a normal system un-till reboot the system.

Understanding Bash code

fork() can be defined in a Bash Code as follows-


:()– This is called as fork function and this function will not accept any arguments.

:|: – This is called as recursion and pipes. It is used to call itself and calls to another function too.

– This is used to call in the background.

;– To terminate the function definition.

: – This is used to call the AKA function to set the Fork Bomb.

Understanding Fork () Bomb

Human readable fork () bomb code should be like this-

bomb() {
   bomb | bomb &
}; bomb

Prevent a Fork Bomb by Limiting User Process

The limited user process is more important for running a stable system and the user process is composed in /etc/security/limits.conf file.

Understanding /etc/security/limits.conf file

The structure in limits.conf should be like this –

<domain><type> <item> <value>

The sample output should be like this –

#<domain>    <type>    <item>    <value>
#*          soft       core        0
#root       hard       core      100000
#*          hard       rss       10000
#@student   hard       nproc      20
#@faculty   soft       nproc      20
#@faculty   hard       nproc      50
#ftp        hard      nproc       0
#ftp        -         chroot     /ftp
#@student   -         maxlogins   4

Configuring limits.conf

To prevent a “fork bomb” attack, It requires some changes in limits.conf file. To open limits.conf file, use the following command –

$ vi /etc/security/limits.conf

Add the following lines to prevent a “fork bomb” attack –

tp hard nproc 300
@student hard nproc 50
@faculty soft nproc 100
@pusers hard nproc 150

The above command describes that, tp user has only 300 processes, the student group has 50 processes, similarly the faculty group consists of 100 process and pusers group will have 150 processes. If the limit is overloaded, then Linux system automatically terminates the extra processes. Now save and exit from limits.conf file.

Use the following command to test a new system by dropping a fork bomb –

$ :(){ :|:& };:

Congratulations! Now, you know “How to Prevent a fork bomb by limiting user process in Linux”. We’ll learn more about these types of commands in our next Linux post. Keep reading!

Updated on: 21-Oct-2019


Kickstart Your Career

Get certified by completing the course

Get Started