17 Mar 2016

Fork Bomb Detector

Fork bomb is a denial of service attack on the operating system wherein a process continually replicates itself to deplete available resources, causing resource starvation and slow down or system crash. The current Linux kernel sets a limit to the maximum process id in the limits.conf system file
to prevent from such attacks. This would lead to denial of fork calls even to legitimate processes. This kernel functionality moves a step forward to identify a fork bomb by calculating the time between two fork calls along with enforcing a threshold.

Solution

The solution approach involves developing a loadable kernel module(LKM) that hooks the fork system call in order to examine if the system call is from a fork bomb. This can be found out if the fork call is from a process with process id larger than a predefined system threshold or if the time elapsed after process creation of the child processes is less than a predetermined period. If the call is made by a potential fork bomb, the process is not allowed to execute the fork system call and notifying the user about the event.

The module once loaded is expected to intercept all fork calls and detect if there is a fork bomb spawning processes. If it detects unusual forking by any process, the process will not be allowed to complete the fork call. The action taken will be logged in syslog.

The project is hosted in GitHub.


Fork


1 comment:

Anonymous said...

��