Dropsafe

by Alec Muffett

The triumphant return of: main(){while(1)fork();}

[www.securityfocus.com]

“forkbomb it”

I’ll admit that I thought his statement was pretty funny. How did this guy expect to bring down a Linux machine by fork bombing it as a non-root user? Not being as intimately familiar with the various Linux distributions as I am with the three BSDs, I figured that I’d have a quick peek into his claim and see what happens.

I wrote up a very simple bourne shell script on my work machine, which runs Mandrake Linux, and executed it under my non-privileged account. Within seconds, the machine was brought to its knees — totally crippled and unusable. I stared at my screen in disbelief for a few moments, totally stunned with what had just happened.

After the deer-in-headlights look had left my face, I gave my head a shake and started to question my belief that none of the BSD machines that I administer were susceptible to this truly ancient attack. I’ll admit that I held my breath for a few seconds as I keyed the script into my NetBSD laptop, and then ran it. I was pleasantly surprised when the attack had no effect, confirming that I wasn’t losing my mind after all — limits had been put in place to prevent a normal user from crippling the entire system. Exactly as one would expect.

I then proceeded to fork bomb every Unix machine I could get my hands on […continues]

The subsequent discussion is quite amusing, where anonymous Linux weenies make well of course you should have gone in and set sensible resource limit defaults, its a user problem, not a Linux or Distro problem – in the face of the implicit critique that the *BSD operating systems are equipped with better, nicer defaults.

Comments

2 responses to “The triumphant return of: main(){while(1)fork();}”

  1. Chris Samuel
    Distro problem

    I agree with the author completely, the distros shouldn’t ship with those sort of lax defaults and I’m really happy to see that Debian get it right (and I’m very curious to know if that’s the same with Debian derived distros like Knoppix and Ubuntu).

    I’ve been bitten on this ancient Mandrake 9.0 machine by a KDE bug where occasionally konqueror goes bananas and tries to malloc() everything in sight, and that causes the kernel to lock up (the old OOM killer problem). Again sensible ulimits would have stopped that bug from taking out my system, and now I’ve put them in place it should not have the same catastrophic effect.

    I could fix some of these problems if I had the time, upgrading to a much newer kernel would fix the OOM killer (I’d actually just disable it and let the kernel kill processes that try to malloc() when OOM), but I’d still leave the ulimits in place, it’s just part of the defence in depth approach.

    In the same way on webservers I’m involved with I try (whereever possible) to use iptables to prevent outbound connection attempts by the user running the webserver. Why ? Because if they do manage to get in some way then the first thing they’ll try and do is download exploits from the net to try and elevate their privileges. If iptables blocks them doing that then they’ll have to type it in by hand. It won’t stop a determined attacker, but it may stymie a script-kiddie.

    Anyway, enough for now!

    Chris

    Reply
  2. 192.18.128.13
    re: The triumphant return of: main(){while(1)fork();}

    Rrrargh, he said ‘peeked my interest’.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts