Fork Bomb

In this essay, we explore a simple yet effective DoS attack called Fork Bomb, also called Rabbit Virus. This attack forks out processes infinitely, starving them for any resources.

Online Coding Platforms and Code Evaluators are susceptible to this attack as they accept raw code from the user and execute it. So, if you are building one, do ensure you are protected against it and infinite loops. We will also discuss how to prevent and defend against Fork Bomb in the final section of this essay.

How do they work?

Fork bombs can be summarized in just three words: Fork until possible. When executed, fork bombs continuously fork out non-terminating processes, demanding machine resources like CPU (mostly) and memory.

Fork Bomb

With so many processes competing for the CPU and other resources (if provisioned), the scheduler and CPU are put under tremendous load. After a specific limit, the entire system stalls.

Implementing Fork Bombs

Before we take a look at how to prevent or stop a Fork Bomb, let's look at something more interesting - how to implement a Fork Bomb?

A quick detour, let's see what fork does: Upon every invocation, the forked child process is an exact duplicate of the parent process except for a few details, but nonetheless what matters to us is that it runs the exact same code as the parent.

C implementation

A simple C implementation of a Fork Bomb could be, to fork child processes within an infinite for loop, resulting in exponential forking of child processes.

#include <unistd.h>
int main(void) {
    for (;;) {

With the fork being invoked inside the infinite for loop, every single child process and the parent process will continue to remain stuck in the infinite loop while continuously forking out more and more child processes that execute the same code and stuck in the same loop; and thus resulting in exponential child forks.

These child processes start consuming the resources and blocking the legitimate programs. This prevents the creation of any new processes. This also freezes the process that responds to Keystrokes, putting the entire system to a standstill.

Bash implementation

There is a very famous Fork Bomb implementation in Bash, and the code that does this has no alphabets or numbers in it, just pure symbols.

:(){ :|:& };:

Although the shell statement looks gibberish, it is effortless to understand. In the statement above, we are defining a function named : having body :|:& and at the end invoking it using the name :, just like any usual shell function.

As part of the function body, we are again invoking the same function : and piping its output to the input of a background process executing another instance of :. This way, we are recursively invoking the same function (command) and stalling it by creating a pipe between the two.

A cleaner way to redefine this very implementation of Fork Bomb would be

bomb() { 
    bomb| bomb& 

How to prevent them?

To protect our system against Fork Bombs, we can cap the processes owned by a certain user, thus blocking process creation at that cap.

Using the *nix utility called ulimit, we can set the maximum number of processes that a user can execute in the system, using the flag -u. By setting this value to an appropriate (lower) value, we can cap the process creation for a user, ensuring we can never be fork bombed by that user.


Arpit Bhayani

Arpit's Newsletter

CS newsletter for the curious engineers

❤️ by 30000+ readers

If you like what you read subscribe you can always subscribe to my newsletter and get the post delivered straight to your inbox. I write essays on various engineering topics and share it through my weekly newsletter.

Other essays that you might like

Powering Inheritance in C using Structure Composition

3850 reads 2020-06-07

C language does not support inheritance however it does support Structure Compositions which can be tweaked to serve use...

Better Ranking using Bayesian Average

526 reads 2020-04-12

Ranking a list of movies, products, books or even restaurants is tricky and in this article, we find what works for such...

Super Long Integers in Python

3584 reads 2020-01-10

Python must be doing something beautiful internally to support super long integers and today we find out what's under th...

Why MongoDB's cursor.skip() is Slow?

2088 reads 2017-06-04

MongoDB's cursor.skip() is very inefficient, why is that? Even though it is slow and inefficient, team MongoDB wants to...

Be a better engineer

A set of courses designed to make you a better engineer and excel at your career; no-fluff, pure engineering.

Paid Courses

System Design Masterclass

A masterclass that helps you become great at designing scalable, fault-tolerant, and highly available systems.

1000+ learners

Details →

Redis Internals

Learn internals of Redis by re-implementing some of the core features in Golang.

46+ learners

Details →

Free Courses

Designing Microservices

A free playlist to help you understand Microservices and their high-level patterns in depth.

106+ learners

Details →

GitHub Outage Dissections

A free playlist to help you learn core engineering from outages that happened at GitHub.

251+ learners

Details →

Hash Table Internals

A free playlist to help you understand the internal workings and construction of Hash Tables.

427+ learners

Details →

BitTorrent Internals

A free playlist to help you understand the algorithms and strategies that power P2P networks and BitTorrent.

192+ learners

Details →

Topics I talk about

Being a passionate engineer, I love to talk about a wide range of topics, but these are my personal favourites.