Journeys' End
20050510
  Defusing a bash forkbomb in netbsd
What happened... Some one posted on atomicmpc about forkbomb. This lead to me googling forkbombs and arriving at an article that looked at how forkbombs affected modern linux distributions and *BSD. I quote:
I'll admit that I held my breath for a few seconds as I keyed the script into my NetBSD laptop, and then ran it. I was pleasantly surprised when the attack had no effect, confirming that I wasn't losing my mind after all -- limits had been put in place to prevent a normal user from crippling the entire system. Exactly as one would expect.
Naturally I wanted to test this. I have a netbsd box running on an old ibook with the following uname -a:
NetBSD eva00 1.6.2 NetBSD 1.6.2 (GENERIC) #0: Tue Feb 10 23:52:52 UTC 2004 autobuild@tgm.netbsd.org:/autobuild/netbsd-1-6-PATCH 002/macppc/OBJ/autobuild/ netbsd-1-6-PATCH002/src/sys/arch/macppc/compile/ GENERIC macppc
Quickly I typed up a cheap bash forkbomb that's not even as cool as :(){ :|:&};: -
#!/bin/sh $0 & exec $0
Merrily I executed the script in my normal account over SSH... and watched as things slowed down to a crawl. SSH timed out, and local login from the keyboard generated a delay of about 60 seconds from keystroke to echo. Normally one would reboot and install quotas, but this box had good uptime! I wanted to keep it so I set my self the slightly harder task of defusing the fork bomb. How it was done I knew I had to some how stop the processes, not kill them because killing them will simply free up resource which would immediately be taken over. ni suggested to use SIGSTOP. To my knowledge POSIX defines a set of signals which can be send to processes. One of these is SIGSTOP which can not be caught or ignored. It causes the process in question to stop. Yes it surprised me too. So now we know how to halt it and bob's our uncle right? Not yet. The problem was there were over 400 bash processes happily consuming what little resources there were and given the 60 second delay its silly to try and manually halt every one of them. In the absence of killall I devised the following:
ps ax | grep bash | grep -v grep | awk '{print $1}' | xargs kill -STOP
Which worked! After I spent about an hour typing it in. Then the STOP was replaced with -9 and ran again to kill the processes and reclaim my resources. A problem with the above is that it had a large collateral damage. A better script would have been:
ps axu user | grep bash | grep -v grep | awk `{print $2}' | xargs kill -STOP
So next time... Implement user process quotas! Cheers, Steve
  posted at 6:47 PM  
Comments:
ever used pgrep?

pgrep bash | xargs kill -STOP

or, if you only want to kill a user's bash:

pgrep -U 1234 bash | xargs kill -STOP

voila
# posted by tehmaze : Fri Jul 08, 11:56:00 PM 2005
 
Aww, cool. Thanks, never knew that.
# posted by steve : Sat Jul 09, 12:39:00 AM 2005
 
Post a Comment



Links to this post:

Create a Link



<< Home
“Ah, but a man's reach should exceed his grasp, or what's a heaven for?” - Robert Browning

Resume
pdf / doc

Email
gmail / usyd

Downloads

Links
Chris' snippets

Archives
September 2003 / October 2003 / November 2003 / December 2003 / January 2004 / February 2004 / March 2004 / April 2004 / May 2004 / June 2004 / July 2004 / August 2004 / September 2004 / October 2004 / November 2004 / December 2004 / January 2005 / February 2005 / March 2005 / April 2005 / May 2005 / June 2005 / July 2005 / August 2005 / September 2005 / October 2005 / November 2005 / December 2005 / January 2006 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / August 2006 / September 2006 / October 2006 / November 2006 / December 2006 / January 2007 / February 2007 / March 2007 / April 2007 /

Powered by Blogger

Subscribe to
Posts [Atom]