Bash Fork Bomb And The Cure

Note: This post is over two years old and so the information contained here might be out of date. If you do spot something please leave a comment and we will endeavour to correct.

24th June 2008 - 4 minutes read time

A fork bomb is a simple bit of shell code that, once run, will soon fill all available memory and fork space with itself. Here is the code, and remember, don't try this at home!

$ :(){ :|:& };:

To explain what is going on we need to cut this code into sections. The first thing we do is refine a function called ":", which accepts no parameters.

$ :(){};

We then get this function to run itself recursively and also to run another version of itself in the background, this creates another fork of the program.

$ :|:&

Finally we start it all off with the first function call.

$ :

Once a fork bomb has been started on a system it will usually only be stopped by rebooting. The only way to cure the bomb is to destroy all instances of it in the system. This is quite difficult as it requires running another program, which can't run due to the filled memory space.

There is a cure with this particular fork bomb on Linux systems. If you try often enough you can get a do nothing process to run which reduces the number of forks in the fork bomb by one. Keep on running these processes and you will eventually eradicate the bomb, at which point the do nothing processes will exit.

If a fork bomb has been started on your system then you can have a go at running this Z shell command, which typically causes the fork bomb to exit after about a minute.

while (sleep 100 &!) do; done

To prevent a fork bomb you can set a limit to the number of forks that a user can run. This can be done in /etc/security/limits.conf and PAM, although these are not found on all systems by default. Once the fork bomb reaches the limit of forking it simply exists. However, if the bomb is run as the root user then it will proliferate until all of the system resources are filled.

linux