Re: forkbombing Linux distributions

From: Hikaru1
Date: Tue Mar 22 2005 - 06:38:23 EST


Alright, I noticed this article scared a few of my friends, so I decided to
figure out on my own a way to prevent fork bombing from completely disabling
my machine.

This is only one way to do this, and it's not particularly elegant, but it
gets the job done. If you want something more elegant, try using ulimit or
/etc/limits instead. Me? This is good enough.

Create, or edit the file /etc/sysctl.conf

In the file, find a line or otherwise create one labelled:
kernel.threads-max = 250

Now make sure at startup something runs

sysctl -p

- on my slackware 10.1 system I had to edit /etc/rc.d/rc.local and add a
line specifically to do this.

Mind that this isn't the best solution. This limits all users, everything to
250 procs, you cannot run more. If your running system or server uses more,
adjust the number accordingly.

An example of an attack this stops in its tracks:
:(){ :|:&};:

(as a command to bash)

Attacks this *limits* and enables the user to do something about:
Create a file, and put in it:

#!/bin/bash
$0 & $0 &

chmod +x it, then run it.

This will prevent it from exceeding the procs limits, but it will *not*
completely stop it. The only way to kill it off successfully is to killall
-9 the script name repeatedly. Note that you'll occasionally be unable to
run killall since the forkbomb will be hitting the limit very often.

Like I said, this is not an elegant solution, however it does increase the
ability of the person owning the machine to do something about it.

Of course, you should always use a bat on the user if nothing else works. ;)

Hikaru
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/