A fork bomb attack is also known as a “rabbit virus attack.” It is a denial-of-service (DoS) attack that repetitively issues the fork system call until the target system uses all of its resources to execute a command. The device eventually becomes overloaded until it can no longer respond to any input. But unlike other DoS attacks, the requests don’t come from outside the network. Instead, they come from the target network, making the attack look self-inflicted.
A fork system call in Unix and Linux systems takes an existing process or a parent and replicates it, forming a new process or child. It lets both processes (parent and child) carry out unique tasks simultaneously.
Other interesting terms…
Read More about “Fork Bomb Attack”
It’s interesting to note that the ongoing processes look a little like forks in a fork bomb attack.
Source: https://www.imperva.com/learn/wp-content/uploads/sites/13/2019/01/fork-bomb-process.jpg
How Does a Fork Bomb Attack Occur?
In a fork bomb attack, self-replicating child processes use up resources, blocking legitimate programs from running and preventing the creation of new processes. For example, a computer suffering from it ignores keyboard inputs and logout attempts, essentially locking it down.
And since a fork loop consumes many system resources, the computer depletes central processing unit (CPU) power and memory space long before it reaches the maximum number of allowed processes. The computer experiences “kernel panic.” Its core operating system (OS) or kernel can’t cope and crashes.
What Are the Effects of a Fork Bomb Attack?
Most computers freeze until they are restarted. Often that requires a hard reboot. But while you can stop a fork bomb attack that way, you may suffer a data loss. If the system is mission-critical, like a web server, a fork bomb attack that gets unnoticed can translate to lost business and even reputational damage.
What OSs Are Vulnerable to a Fork Bomb Attack?
All Unix, Linux, or Unix-like OSs can suffer from a fork bomb attack, including computers that run on Ubuntu, Debian, Red Hat, or AIX.
What Characters Do Hackers Use to Launch a Fork Bomb Attack?
Hackers can include the characters in the table below in a basic Linux shell script to launch a fork bomb attack.
| Character | Function |
| :() | Defines a function in Linux named : |
| {} | Encloses the commands that a function will run |
| :|: | Runs a command repetitively, piping another version of it to run in a subshell |
| & | Runs the preceding command in the background |
| ; | Separates the function-defining command from the next command |
| : | Runs the command or newly created function |
If you see these characters in a Linux shell script, it was probably created to cause a fork bomb.
What Languages Can Be Used to Create a Fork Bomb Attack Script?
Hackers can use the following languages to create a malicious script for a fork bomb attack:
- Python
- Java
- Ruby
- C
How Can You Prevent a Fork Bomb Attack?
While more advanced hackers can take control of Unix, Linux, or Unix-like computers to launch a fork bomb attack, users can still improve their security by:
- Using the Unix or Linux ulimit parameter to cap the number of processes users can create. Setting the parameter to ulimit=30 prevents a system user from simultaneously running more than 30 processes. Note, though, that you need to set the command per session as the limit gets reset after a session ends.
- Set process limits using the /etc/security/limits.conf file. Doing that is better than the first option. It limits all user profiles and doesn’t get reset after each session.
When Was the First Fork Bomb Attack Seen?
The first fork bomb attack was reported in 1978. It involved a short program nicknamed “wabbit,” hence the alternate name “rabbit virus attack,” which made copies of itself ad infinitum. Any malware like it could lie in wait in a victim’s computer disguised as an innocent-looking file sent via email. When opened, the fork bomb can get unleashed.
—
A fork bomb attack can affect any Unix, Linux, or Unix-based computer, which is pretty hard to detect. As such, mitigation may be critical by limiting the number of processes any user can run simultaneously.
