/image%2F8357444%2F20250531%2Fob_e5372f_safitexpers.jpeg)
/image%2F7127247%2F20260329%2Fob_1ae8c6_fork-bomb.jpeg)
~/toc $
Fork Bomb Linux: Security & Hardening Guide 2026
📌 At a Glance
fork() → 2ⁿ processes in a few milliseconds.TasksMax (cgroups) + limits.conf (PAM).> 1. Introduction: The "Bomb" That Exploits fork()
In our restaurant, the head chef (CPU/process) executes a recipe (program) in the kitchen (RAM). The fork bomb exploits the fork() system call to saturate the reservation book of the maître d' (kernel), rendering the system unusable. Understanding this attack means grasping an essential link in availability policies (NIST SP 800-34).
🍳 2. Pedagogy: The "Head Chef" Analogy
The Diabolical Recipe
The culinary chaos: The chef spawns two chefs. Each spawns two more. The progression is exponential (2ⁿ). The kitchen is quickly overwhelmed. The maître d' (kernel) is completely overloaded.
⚡ 3. Low-Level View (System Calls, COW, and Emergency Recovery)
Each chef clones itself via fork() into two new chefs. The number of chefs follows 2ⁿ, saturating the process table.
2ⁿ
fork(), the kernel allocates a full virtual address space for each child process: heap, stack, code and data segments. This space is significant.kernel.pid_max), long before physical RAM reaches its limit. This is what renders the system unusable.- Pre-existing root consoles:
exec()(unlikefork()) does not create a new process —/sbin/logincan still launch a shell if a session is already open. - Magic SysRq: see the Appendix for detailed key combinations.
→ A cold reboot is not always necessary: if the system still responds to SysRq, a clean shutdown (REISUB) avoids unflushed journals, forced fsck checks, and data corruption risks.
📖 Key Definitions
🔐 4. Mitigations and Hardening
Two complementary approaches cover distinct scopes and must be combined for complete protection.
⚠️ Distinct scopes — why combine both: pam_limits.so only applies to interactive sessions (SSH, TTY login, su). systemd services (nginx, sshd via socket, timers, scripts…) are not subject to limits.conf. This is precisely why TasksMax (cgroups) is essential as a complement: it covers what PAM cannot see.
4.1. ulimit Configuration (PAM)
/etc/security/limits.conf: house rules for each user in an interactive session.
| Parameter | Role |
|---|---|
nproc | Maximum number of processes per user |
⚠️ Prerequisite: The pam_limits.so module must be loaded in PAM (/etc/pam.d/login, sshd, etc.). Without it, limits.conf is silently ignored.
ℹ️ Root: root soft nproc unlimited is intentional (root must be able to intervene during an attack), but it leaves root vulnerable if a bomb is launched with its privileges.
4.2. cgroups / systemd Procedure (observe → analyze → modify → test → monitor)
TasksMax operates via the pids controller of cgroups v2. It counts processes + threads, covers systemd services, and persists after daemon-reload without a reboot.
ℹ️ System-wide scope: To change the default value applied to all slices, edit DefaultTasksMax= in /etc/systemd/system.conf. Requires a full reboot (unlike slice overrides which take effect after daemon-reload).
🔍 Step 1: Observe
Typical value: 4915 (15% of 32768, the default value of kernel.pid_max).
📊 Step 2: Analyze
Counts threads as well (consistent with what TasksMax measures).
⚙️ Step 3: Modify
Three levels of granularity available.
🌍 Global slice (all users)
👤 Specific user (UID 1000)
⚙️ Individual service (example: nginx)
🧪 Step 4: Test
ℹ️ Command distinction: The sleep loop creates 250 suspended processes — this is what actually triggers the TasksMax limit. The stress commands test CPU/memory load: useful for monitoring, they do not necessarily trigger the task limit if it is set high.
📈 Step 5: Monitor
🚨 Appendix: Last Resort (Magic SysRq)
Activation: sysctl kernel.sysrq=1 (or echo 1 > /proc/sys/kernel/sysrq). To persist across reboots: add kernel.sysrq = 1 to /etc/sysctl.d/99-sysrq.conf.
Useful keys:
- F: OOM Killer — forces the kernel to kill a process to free memory
- K: SAK (Secure Attention Key) — kills all programs on the current console
- REISUB: sequenced clean reboot — R (raw mode), E (SIGTERM), I (SIGKILL), S (sync disks), U (remount read-only), B (reboot)
→ Always prefer REISUB over a cold reboot: disks are synchronized, reducing the risk of journal corruption or a forced fsck on next boot.
Protection Summary
| Method | Scope | Limit | Persistence | Level |
|---|---|---|---|---|
| ulimit (PAM) | Interactive sessions only | nproc (processes) | Session (requires pam_limits.so active) | ⭐⭐ |
| TasksMax (cgroups) | cgroups v2 — slices and services | tasks (processes + threads) | Permanent after daemon-reload | ⭐⭐⭐ |
| Magic SysRq | Kernel (last resort) | Emergency — not preventive | Temporary (unless /etc/sysctl.d) | ⭐ (last resort) |
🌐 5. Attack Portability
The fork bomb is often presented as a Linux-specific attack. This is inaccurate: the underlying vulnerability is inherent to any OS that exposes process creation without default limits. Windows and macOS are both affected, with different mechanisms and levels of protection.
5.1 Windows
Windows does not implement fork(), but CreateProcess() and CreateThread() produce the same saturation effect when called in a recursive loop.
TasksMax.⚠️ Do not execute on a system without configured process limits. Windows default values are generous and no TasksMax-equivalent mechanism is active by default.
5.2 macOS
macOS is built on XNU (a Mach/BSD hybrid kernel) and natively exposes fork(). The Bash bomb :(){ :|:& };: works identically to Linux without modification.
fork() call via the XNU kernel. On Apple Silicon, the kernel enforcer is more aggressive on memory management — it may slow the explosion, but cannot prevent it.HardResourceLimits in service plists. SIP (System Integrity Protection) protects system processes but does not limit user processes against this type of attack.Comparative Table
| OS | Attack Mechanism | Main Protection | Active by Default | Granularity |
|---|---|---|---|---|
| Linux | fork() | cgroups v2 / TasksMax | Partial (15% pid_max) | ⭐⭐⭐ |
| Windows | CreateProcess() / CreateThread() | Job Objects | No | ⭐⭐ |
| macOS | fork() | launchd HardResourceLimits | No | ⭐⭐ |
Linux is the only one of the three systems to offer active default protection (TasksMax at 15% of kernel.pid_max) and per-service granularity. The vulnerability is universal — the maturity of mitigation tools is not.
✔ 6. Conclusion
fork(), CreateProcess(), or CreateThread() — is potentially vulnerable. The difference lies in the maturity of default protections, not the attack mechanism.limits.conf for interactive sessions, TasksMax per service for daemons, journald or Prometheus alerts to detect anomalies before they become a crisis. Magic SysRq as a last resort. The most granular protection of the three systems.TasksMax is applied natively. On a Windows production environment, limits must be explicitly configured per application or container.fork() works identically to Linux via XNU — the Bash bomb runs without modification. SIP protects system processes but not user processes. Limiting via HardResourceLimits in launchd plists is not configured by default.📚 Verified Sources
The technical claims in this article are based on the following primary references.
pids controller, task counting (processes + threads), and cgroups v2 hierarchies. Primary source for the real behavior of TasksMax.TasksMax= directive, its interaction with the cgroups v2 pids controller, and levels of granularity (slice, service, scope). Reference for DefaultTasksMax and default values.sysctl kernel.sysrq, and the REISUB sequence. Primary source for the emergency recovery section.pam_limits module and /etc/security/limits.conf: nproc parameters, soft/hard distinction, and scope to interactive sessions only.🔗 SafeITExperts Recommended Reading
To go deeper into the topics covered in this article.
/image%2F7127247%2F20260403%2Fob_13d381_securite-os.png)
/image%2F7127247%2F20260403%2Fob_99c0db_securite-os.png)
/image%2F7127247%2F20260329%2Fob_dc84c9_fork-bomb.jpeg)
/image%2F7127247%2F20260216%2Fob_1bcfbb_breakinews1.png)
/image%2F7127247%2F20260413%2Fob_68be55_image-7127247-20260309-ob-d3a73d-kerne.png)
/image%2F7127247%2F20260412%2Fob_b9f899_9f17b9a2-4f24-4470-ad66-7d7c6be51c09.png)
/image%2F7127247%2F20260412%2Fob_76dc2e_9f17b9a2-4f24-4470-ad66-7d7c6be51c09.png)
/image%2F7127247%2F20260412%2Fob_b1b994_3adbf5c5-b5c0-4fe5-9662-f97b031a64c1.png)