What Is a Fork Bomb? Definition, Code, Prevention & Removal
A fork bomb is a denial-of-service attack. A tiny piece of code causes a process to replicate, and each time, the new instance of the program further depletes available system resources. When the attack pushes a server to the limit, it crashes.
Fork bombs aren't new. One of the very first instances of these attacks happened back in 1969. But sometimes, old threats work just as well as new ones in taking systems offline.
How does a fork bomb work?
Imagine opening hundreds or even thousands of instances of a process on your computer. The fan would whir, performance would lag, and eventually, your device would crash. A fork bomb works in much the same way.
Fork-bomb code creates a copy of a program. Once the new instance is running, the fork happens again. This process can happen indefinitely or until it exhausts all available memory. A denial-of-service attack like this can be devastating.
Implementing fork bombs is relatively easy for an experienced hacker. We won’t go into detail here (since we don’t want to give anyone the wrong idea), but often, just a tiny bit of code is required.
Can You Prevent a Fork Bomb?
You can't sit over the shoulder of every developer and keep them from including code that could harm you. But you can do two important things to ensure that a fork bomb is less likely to take your system down.
Start by limiting the maximum number of processes a single user can own. This is a remarkably easy task in Linux. If you keep your users from owning more than a handful of processes, they can't get an attack like this off the ground.
You can also limit memory use per process. If a process needs more than the limit you've set, you're likely dealing with a duplication, and you can deny execution right away. This simple step can also keep a fork bomb from depleting server capacity.
If an attacker hits you with a fork bomb, you will need to reset your server. And unfortunately, you'll need to remove every instance of the code to make the attack stop.