Fork Bunny

By Susam Pal on 11 Jun 2006

Have a close look at this line of shell command that can be executed on Bash, Zsh, and most POSIX or POSIX-like shells:

: () { : | : & } ; :

Beware! Don't execute it on your system without understanding the consequences completely. If the command above looks puzzling, that is because it is deliberately obfuscated. Let us simplify it.

The : is a function name. It could very well have been f. Let us replace : with f and see what the code now looks like.

f () { f | f & } ; f

Now it looks familiar. We have two commands separated by a semicolon. Written in a more legible manner, the code would look like this:

f()
{
    f | f &
}

f

It creates a function f and then executes it. This function calls itself twice recursively. The control operator & executes the recursive calls to f asynchronously, i.e., in the background. The number of instances of the function executing keeps growing exponentially thereby depleting CPU cycles and memory. The system is rendered unusable soon.

This type of denial-of-service attack by self-replication is also known as a fork bunny which is a specific type of wabbit. See the following entry in the Jargon File for more information on this: wabbit.

Comments