Fork bomb

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

The Fork Bomb (also called rabbit virus or wabbit) is a memory exhausting Denial of Service (DoS) Attack. It depletes the memory of a machine by replicating itself exponentially until all memory is used up.


The fork bomb utilizes the fork system call which is implemented in every programming language. The Fork command calls a child process of that executes the next line of code with it simultaneously. The mother node patiently awaits the completion of its child processes, but the child processes will never exceed their completion because they also waiting for their child processes.

1| fork()                  L1
                          /  \
2| fork()               L2    L2
                       / \    / \
3| fork ()            L3  L3 L3  L3

As the code shows the processes double every line so the number of running processes increase relative to .

The following section shows some fork bomb example written in different languages.


#include <unistd.h> 
int main(void) 
  return 0; 


import os
while True:  

Command line variant:

python -c 'while 1: __import__("os").fork()'

Unix Bash

:(){ :|:& };:

This command line command can be deciphered like this

:()       # Defines the following function ":" 
   :       # Loads a copy of the function ":"
   |       # Redirects the Output that it is not seen in the shell
   :       # Loads a copy of the function ":"
   &       # Runs the programs as a background process
:         # Runs the beforehand defined function ":"

This command is dangerous because the user issuing it does need any grants.

Forkbomb used by USB Rubber Ducky

Rezky Aulia Efendy et. al. in [4] used a USB Rubber Ducky to perform the fork bomb on a windows 8 personal computer. The USB Rubber Ducky is a self-typing Keyboard disguised as an USB flash drive. Their implementation opened multiple instances of Microsoft Paint to perform the memory depletion attack.

This attack can also be Performed on Unix based Operating systems by using the :(){ :|:& };: command The Rubber ducky script would look like as follows:

STRING  :(){ :|:& };:

Fork bomb prevention

To prevent the fork bomb form spreading on your device you can limit the the maximum of allowed precesses per user. On Linux Distribution this can be achieved by using the ulimit command. For example ulimit -u 30 would limit the user to a maximum of 30 Processes.


[1] (german version for source code)



[4] IEEE: Exploring the Possibility of USB based Fork Bomb Attack on Windows Environment