Forkbomb?

cactus · 2005-03-18 18:56:20

http://www.securityfocus.com/columnists … f=rssdebia

thegnu · 2005-03-18 20:01:35

Has anyone tried this? As soon as I get home, I'm gonna screw around with this a bit, see if I can crash my computer . Do the nitro or mm kernels take care of this at all?

smith · 2005-03-18 20:15:23

You can help prevent fork bombs by limiting the number of processes per user using ulimit. Also, someone would have to hack into an account to be able to use this attack on your box.

A slashdotter posted that typing

:(){ :|:& };:

on the bash prompt will test if you are vulnerable. Can't vouch for it, as I don't have access to my linux box right now.

cactus · 2005-03-18 20:19:22

smith wrote:

Also, someone would have to hack into an account to be able to use this attack on your box.

Not everyone has just single user boxen.

cactus · 2005-03-18 20:31:07

http://en.wikipedia.org/wiki/Fork_bomb

phrakture · 2005-03-18 20:46:27

cactus wrote:

http://en.wikipedia.org/wiki/Fork_bomb

formats:
bash:

$ :(){ :|:& };:

perl:

$ perl -e "fork while fork"

c:

#include <unistd.h>
void main() { while(1) fork(); }

i3839 · 2005-03-18 22:12:54

I added the following to my /etc/security/limits.conf:

*    soft        nproc        50
*    hard        nproc        100
*    soft        rss        100000
*    hard        rss        150000

With the default limits X froze to death. Alt+SysRq+i/e/k (think I tried them all, so not sure which one did the actual trick) did work to get rid of it though. But because I also did Alt+SysRq+u to remount readonly, I needed to reboot (alt+sysrq+b) anyway, as I couldn't log in anymore.

I think sane limits should be the default in Arch.

thegnu · 2005-03-18 23:20:47

phrakture wrote:

$ perl -e "fork while fork"

Sounds like a punk song to me!

DUH-DAH DUH-DAH DUH-DAH... FORK WHILE FORK! :twisted:

iphitus · 2005-03-18 23:21:12

heh, yeah it works, but maybe i shouldnt have run it as root.

phrakture · 2005-03-18 23:30:33

yeah the big deal is that it works as a non-root user... I'm trying it when I get home

cactus · 2005-03-19 00:12:43

i3839 wrote:

I added the following to my /etc/security/limits.conf:

*    soft        nproc        50
*    hard        nproc        100
*    soft        rss        100000
*    hard        rss        150000

Looks good i3839..what is rss though.. max resident set size (KB)...
what is a set size for?

I think sane limits should be the default in Arch.

I agree.

iphitus · 2005-03-19 00:27:42

phrakture wrote:

yeah the big deal is that it works as a non-root user... I'm trying it when I get home

Yeah, I just went to my screen session, which happened to have a root terminal in it.

aCoder · 2005-03-19 00:34:50

Tried as a non-root user, and it brought things to a stop fast. Setting some reasonable limits took care of things.

phrakture · 2005-03-19 00:39:16

i use 75/150 for my limits.... maybe we should figure out some good default settings... anyone willing to spend some time and figure out at what number it starts failing?

Snowman · 2005-03-19 04:29:18

The max number of process should be greater than 100. One hundred processes is not enough especially if you compile because make uses a lot of processes. I have 78 process currently running and I am just using a few konsole in KDE. However I don't know what that number should be.

i3839 · 2005-03-19 14:40:39

RSS is the closest to the real ram usage of a program. It still includes shared things like libc and other libraries, but that's one Mb, or with bloated apps less than 10, and fixed size from the start. So all in all that's the variable to limit real ram usage of an app (alternative would be to limit virtual memory, but asking for a lot of virtual memory doesn't hurt, actualy using it all does).

What the proper limits are depends on your hardware, faster comps can have higher limits.

Compiling doesn't take that much processes, most are very short lived, and more than 4 parallel compiles isn't very useful. But if running big monsters like KDE or Gnome then the total ammount of user processes goes up of course, so 100 is a bit low.

I'll try different setting on my pc and see what works. If it's ok for my 600 Mhz box then it's probably ok for most Archers. I'll see how high I can go.

i3839 · 2005-03-19 15:35:32

For my pc (600 Mhz, 256 Mb ram) 2048 processes is the limit before it becomes unmanageable. In console it's easier to recover than in X, there I needed to switch to console with Ctrl+Alt+F2 and then kill the forkbomb from there.

As the limit is per user and not global, 1024 should be plenty for almost everyone. People who need more like big servers probably need to also change other limits anyway.

Figuring out the max memory per process is much harder, as that depends on the ammount of ram, what programs are going to run, and what the user wants. Safest would be of course to use totalmem/(maxprocess*maxusers) as limit, but then you can hardly run anything... So I think it's best to set no default rss limit.

So all in all I recommend the following limits:

*       soft    nproc   1024
*       hard    nproc   2048

phrakture · 2005-03-19 19:27:42

I'll try those limits and forkbomb my system and see where it gets...

Snowman · 2005-03-19 21:04:02

Currently my proc limit is 2046 and I haven't changed any setting.

mico · 2005-03-19 21:32:55

What exactly is the difference between soft and hard limits?

i3839 · 2005-03-19 22:46:35

The soft limit is the real limit. The user may always change the limit downwards, but only up to the hard limit.

InfernalH · 2005-03-21 15:05:18

with default limits in limits.conf my system survived, but when I updated like i3839 suggested, I've got my box crashed...

mico · 2005-03-21 15:15:33

1024 processes is a bit high. Even if I run KDE with openoffice, mozilla, gimp, eclipse and some other applications, number of my processes does not exceed 55. So I think the limit of 100 or maybe 200 processes shoud be enough.

i3839 · 2005-03-21 15:31:36

InfernalH wrote:

with default limits in limits.conf my system survived, but when I updated like i3839 suggested, I've got my box crashed...

What were your default limits? I had none, so perhaps you edited it in the past? (running pam-0.78-4 here) By default Arch had no limit at all in /etc/secerity/limits.conf, and the system wide default of 4096 was used, at least on my pc.

Also what hardware do you have? Mainly cpu and ram.

Of course 1024 is high, but point is to avoid a forkbomb to do any damage, not to limit the users' max number of processes, and after testing 2048 seemed to limit on my system, so taking the half of that seemed reasonable to me. Desktop systems won't have more than a couple of hundred processes, but a busy server can.

mico · 2005-03-21 16:00:42

i3839 wrote:

Desktop systems won't have more than a couple of hundred processes, but a busy server can.

Those processes are distributed among various users. Many daemons run as a special user (postgresql processes are owned by the user postgres, mysql by user mysql, apache by user nobody, or whichever user you configure them). Even if you suspect a single owner (user) of those services will require so many processes, I still think normal (real) users should be fine with 100 or at most a few hundred processes. Something like:

@users      soft  nproc    100
@users      hard  nproc    200
*           soft  nproc    1024
*           hard  nproc    1500

Does anybody know what are default/sugested/common limits on *BSD systems? They would probably be a good reference.

Arch Linux

#1 2005-03-18 18:56:20

Forkbomb?

#2 2005-03-18 20:01:35

Re: Forkbomb?

#3 2005-03-18 20:15:23

Re: Forkbomb?

#4 2005-03-18 20:19:22

Re: Forkbomb?

#5 2005-03-18 20:31:07

Re: Forkbomb?

#6 2005-03-18 20:46:27

Re: Forkbomb?

#7 2005-03-18 22:12:54

Re: Forkbomb?

#8 2005-03-18 23:20:47

Re: Forkbomb?

#9 2005-03-18 23:21:12

Re: Forkbomb?

#10 2005-03-18 23:30:33

Re: Forkbomb?

#11 2005-03-19 00:12:43

Re: Forkbomb?

#12 2005-03-19 00:27:42

Re: Forkbomb?

#13 2005-03-19 00:34:50

Re: Forkbomb?

#14 2005-03-19 00:39:16

Re: Forkbomb?

#15 2005-03-19 04:29:18

Re: Forkbomb?

#16 2005-03-19 14:40:39

Re: Forkbomb?

#17 2005-03-19 15:35:32

Re: Forkbomb?

#18 2005-03-19 19:27:42

Re: Forkbomb?

#19 2005-03-19 21:04:02

Re: Forkbomb?

#20 2005-03-19 21:32:55

Re: Forkbomb?

#21 2005-03-19 22:46:35

Re: Forkbomb?

#22 2005-03-21 15:05:18

Re: Forkbomb?

#23 2005-03-21 15:15:33

Re: Forkbomb?

#24 2005-03-21 15:31:36

Re: Forkbomb?

#25 2005-03-21 16:00:42

Re: Forkbomb?

Board footer