What Is a Linux Fork Bomb and How to Stop It

What Is a Fork Bomb in Linux?

Linux fork bomb (Fork Bomb) is a denial‑of‑service attack that exploits the fork() system call to rapidly create a massive number of child processes, exhausting CPU and memory resources until the system becomes unusable.

To implement a fork bomb, use the following one‑liner:

:(){ :|:& };:

This command defines a function named ':' that calls itself recursively, piping its output to another instance of the same function. The pipe (|) connects the output of one process to the input of another, while '&' runs each instance in the background, allowing the cascade to grow exponentially.

How the Fork Bomb Works

:

defines a function named ':' with no parameters. {} marks the start and end of the function body, containing the commands that will eventually crash the machine. :|: initiates the recursive call, loading the ':' function into memory and piping its output to another loaded instance. & runs the entire function in the background so that no child process is killed. ; separates each child function in the execution chain. : finally executes the most recently created function, triggering the chain reaction.

Prevention Measures

Limit the maximum number of processes a logged‑in user can run.

Check the current limit for the user:

ulimit -u

Edit /etc/security/limits.conf to set a hard limit on processes, for example:

vim /etc/security/limits.conf
@wheel           hard    nproc           5000
rumenz           hard    nproc           5000

This configuration caps the number of processes for the specified users to 5000, helping to mitigate the impact of a fork bomb.