How can I prevent forkbombs?

DaneM · 06-29-2005, 09:49 PM

I've recently been getting into Linux security and found out that my Slackware 10(.1) boxes are vulnerable to the ancient forkbomb attack. (Tested using a script found on the 'net as a non-priveleged user.) How can I guard against it? What commands and utilities can I use?

Thanks.

--Dane

Capt_Caveman · 06-30-2005, 01:25 AM

There are a number of different ways to handle fork bomb resource starvation. You can use ulimit (see it's manpage), you can use PAM (set the max process option in /etc/security/limits.conf), and I think the grsecurity patch also a feature that prevents this as well.

For what it's worth, this isn't really a 'vulnerability' per se. As far as I know, the limits are intentionally left off as fork bombs are really only a problem for those with untrusted users. For those trying to get maximum performance (like parallel processing applications or webserver under significant load) having a limit less than the machine performance max could be a bad thing.

Hope that helps.

katmai90210 · 06-30-2005, 01:34 AM

i think i got that attack as well on one of my rh9 boxes. what does it do ? forks sessions and the server overloads ?

if that i just created group 'users' and set hard limits 50 nproc and 20 soft nproc and works great

btw if you can i would be glad to get some info on the script .. how it is used and so ...

Capt_Caveman · 06-30-2005, 01:59 AM

This isn't too hard to code

Just take your favorite language and write an infinite loop that calls fork() repeatedly. It works by consuming resources (RAM, file descriptors, etc) by continuously forking processes until the system runs out of resources and crashes or becomes unusable. So basically you can file this under "stupid user tricks" as it's slightly more elegant than clicking the Mozilla icon 12,000 times....

//Moderator note: I'd rather no one post code for this, even as lame as it is...

DaneM · 06-30-2005, 04:21 AM

Thanks for your replies!

The reason I'm looking into this is so that when I set up a real multi-user system (via ssh, for example), I won't have some joker crash it by using a simple script. I looked into your suggestions and found the following man page for ulimit (PAM apparently isn't part of Slackware 10.x):

Quote:

NAME
ulimit - get and set user limits

SYNOPSIS
#include <ulimit.h>

long ulimit(int cmd, long newlimit);

DESCRIPTION
Warning: This routine is obsolete. The include file is no longer provided by
glibc. Use getrlimit(2), setrlimit(2) and sysconf(3) instead. For the
shell command ulimit, see bash(1).

The ulimit call will get or set some limit for the current process. The cmd
argument can have one of the following values.

UL_GETFSIZE
Return the limit on the size of a file, in units of 512 bytes.

UL_SETFSIZE
Set the limit on the size of a file.

3 (Not implemented for Linux.) Return the maximum possible address of
the data segment.

4 (Implemented but no symbolic constant provided.) Return the maximum
number of files that the calling process can open.

Unfortunately, that doesn't help me much, as all I get when typing "ulimit" is "unlimited". I don't have a /etc/security directory; if I made one, how would the system read it? What would I put in it?

Will one of you please post an example ulimit command? Thanks!

--Dane

perfect_circle · 06-30-2005, 04:58 AM

you may also take a look at this thread.
http://www.linuxquestions.org/questi...hreadid=303185

primo · 06-30-2005, 03:08 PM

Quote:

Originally posted by DaneM
Thanks for your replies!

The reason I'm looking into this is so that when I set up a real multi-user system (via ssh, for example), I won't have some joker crash it by using a simple script. I looked into your suggestions and found the following man page for ulimit (PAM apparently isn't part of Slackware 10.x):

Unfortunately, that doesn't help me much, as all I get when typing "ulimit" is "unlimited". I don't have a /etc/security directory; if I made one, how would the system read it? What would I put in it?

Will one of you please post an example ulimit command? Thanks!

--Dane

Process limits are inherited. The ulimit command is a shell builtin because of this: The limits you're applying with this command affect the current process and any child process it creates. To obtain help about ulimit, type "help ulimit" at the command prompt

There are "soft" limits and "hard" limits.
To quote Richard Stevens:
"1- A soft limit can be changed by any process to a value less than or equal to its hard limit.
2- Any process can lower its hard limit to a value greater than or equal to its soft limit. This lowering of the hard limit is irreversible for normal users.
3- Only a superuser process can raise a hard limit."

When you change limits with the ulimit command, specify -H to view and setup hard limits. By default, the command prints and setups soft limits. Try and find some limits that work (on a user account) and make the soft limit equal to the hard limit.

Remember that they are inherited. You could setup limits based on UID and even for groups of users, in a script (e.g /etc/profile)

DaneM · 06-30-2005, 10:48 PM

Great stuff! That link was especially helpful. Now I can make all my servers less vulnerable to attack.

Thanks!

--Dane