Introduction

A fork bomb is a denial-of-service attack that rapidly creates child processes until the system runs out of process table entries, memory, and swap space. The classic bash fork bomb :(){ :|:& };: recursively spawns copies of itself. Once triggered, the system becomes completely unresponsive as every CPU core is consumed by process creation and the kernel exhausts both RAM and swap trying to allocate memory for each new process.

Symptoms

  • System completely unresponsive - SSH, console, all I/O fails
  • Process table full: fork: Cannot allocate memory or fork: retry: Resource temporarily unavailable
  • ps aux | wc -l shows thousands of processes from a single user
  • Swap space 100% utilized alongside high RAM usage
  • Load average in the hundreds or thousands
  • dmesg shows cgroup: fork rejected by pids controller

Common Causes

  • User accidentally runs a fork bomb command in a shell
  • Malicious script or compromised account intentionally launches a fork bomb
  • Buggy script with uncontrolled recursion spawning subshells
  • No nproc ulimit configured for users
  • No cgroup pids.max limit on user sessions

Step-by-Step Fix

  1. 1.Attempt to kill the fork bomb from an existing shell session:
  2. 2.If you still have a shell open (e.g., in tmux or a root session that started before the bomb):
  3. 3.```bash
  4. 4.# Kill all processes owned by the user who launched the bomb
  5. 5.killall -u username
  6. 6.# If that fails due to resource exhaustion:
  7. 7.kill -9 -1 # Kill all processes you have permission to kill
  8. 8.`
  9. 9.If no shell is responsive, use the SysRq key sequence:
  10. 10.```bash
  11. 11.# Via /proc (if still responsive):
  12. 12.echo f | sudo tee /proc/sysrq-trigger # Trigger OOM killer
  13. 13.# Or via serial console / keyboard:
  14. 14.# Alt + SysRq + F
  15. 15.`
  16. 16.After recovering access, identify and clean up remaining processes:
  17. 17.```bash
  18. 18.ps -eo user,pid,ppid,comm --sort=-pid | head -30
  19. 19.# Kill remaining bomb processes
  20. 20.pkill -9 -u username
  21. 21.`
  22. 22.Set per-user process limits in /etc/security/limits.conf:
  23. 23.```bash
  24. 24.sudo nano /etc/security/limits.conf
  25. 25.`
  26. 26.Add:
  27. 27.`
  28. 28.* soft nproc 1024
  29. 29.* hard nproc 2048
  30. 30.root soft nproc unlimited
  31. 31.`
  32. 32.Configure cgroup pids controller for login sessions:
  33. 33.```bash
  34. 34.# For systemd, set per-user limits
  35. 35.sudo nano /etc/systemd/system.conf
  36. 36.# Add:
  37. 37.DefaultTasksMax=4096
  38. 38.sudo systemctl daemon-reload
  39. 39.`
  40. 40.Verify limits are enforced:
  41. 41.```bash
  42. 42.ulimit -u
  43. 43.# Should show 1024 (soft) or 2048 (hard)
  44. 44.# Test fork bomb protection
  45. 45.cat /sys/fs/cgroup/pids/user.slice/user-$(id -u).slice/pids.max
  46. 46.`

Prevention

  • Set nproc limits in /etc/security/limits.conf for all non-root users
  • Configure DefaultTasksMax=4096 in systemd to limit total tasks per user slice
  • Use cgroup pids controller: pids.max for containers and service units
  • Monitor process count per user with automated alerts when count exceeds normal baseline
  • Educate users about fork bomb commands and implement shell command filtering if needed