Understanding Bash fork() Bomb :(){ :|:& };: code

Can you explain the following bash code or bash fork() bomb code?
:(){ :|:& };:

The fork bomb is a form of denial-of-service (DoS) attack against a Linux or Unix-based system. It makes use of the fork operation. The :(){ :|:& };: is nothing but a bash function. This function get executed recursively. It is often used by sysadmin to test user process limitations on server. Linux process limits can be configured via /etc/security/limits.conf and PAM to avoid bash fork() bomb. Once a successful fork bomb has been activated in a system it may not be possible to resume normal operation without rebooting the system as the only solution to a fork bomb is to destroy all instances of it.

WARNING! These examples may crash your computer if executed.

Understanding :(){ :|:& };: fork() bomb code

:() – Defined the function called :. This function accepts no arguments. The syntax for bash function is as follows:

foo(){
 arg1=$1
 arg2=$2
 echo 'Bar..'
 #do_something on $arg argument
}

foo(){
arg1=$1
arg2=$2
echo ‘Bar..’
#do_something on $arg argument
}

fork() bomb is defined as follows:

:(){
 :|:&
};:

:|: – Next it will call itself using programming technique called recursion and pipes the output to another call of the function ‘:’. The worst part is function get called two times to bomb your system.

& – Puts the function call in the background so child cannot die at all and start eating system resources.

; – Terminate the function definition.

: – Call (run) the function aka set the fork() bomb.
Here is more human readable code:

bomb() { 
 bomb | bomb &
}; bomb

Properly configured Linux / UNIX box should not go down when fork() bomb sets off. See the comment # 5 below for more fork bomb examples created in Perl, Windows XP (batch) and C.

Related: How to: Prevent a fork bomb by limiting user process under Linux.

Preventing fork bomb on Linux

Type the following ulimit command to find out the current maximum processes you can run on Linux:
ulimit -u
OR
ulimit -a

The number 128038 indicates that you can run 128038 processes. To protect your Linux system from a fork bomb, you need to lower that number. To limit your session to 5000 processes, use the following command
ulimit -S -u 5000

WARNING! Please don’t set ulimit numbers too low. This will prevent you from working on your system.

Now run fork bomb again:
:(){ :|:& };:
And you will see messages as follows:

bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable

You just avoided fork bomb on Linux. Run the following pgrep command to see the current threads limit:
pgrep -wcu $USER
Sample outputs:

5002

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.