Both Splashhost and Voxtreme have been hit recently with Fork Bombs.

What is a fork bomb ?
And is there a way to trace it back to the attacker ?
Who would gain from fork bombing splash and vox ?

A fork bomb is an attack engineered/intended to consume the resources of a target host. Typicly fork bombs make a given process respawn XXX times and therein crash a server. Essentialy a local DoS (Denial Of Service) attack. But there are many types of fork bombs that are capable of targeting different resources (e.g: memory, disk i/o, CPU etc...).

As for tracing a user who performs fork bomb attacks, it can be a bit tricky to isolate. If you dont got proper logging features setup youl probly get nothing but kernel errors reporting "max file handlers exceeded" and the system will be spitting "fork() failed" errors. May also start to see paging errors in your kernel logs - Can get real messy. Another problem is so many hosts have a large volume of users per/server so it adds to an already daunting task.

If you have such things as PAM resource limiting setup, or kernel level patches to protect from userspace resource abuse - then all that need be done is check the logs and youl see what UID's are abusing resources. Thereafter its just a matter of checkings logs for the IP info of the given user (are they using a proxy? probly). And of cource having the thrill of rm -rf /home/lameuser :mad:

As for gain, offten the attackers only goal is to see a given host go down - that in itself can be gain enough. In other cases it may be a competitor or someone trying to ruin your companies image, whom launches fork bomb attacks (yes i have seen competitors launch attacks on other hosting companies).

Basicly it all comes down to you being prepared for such an incident. The following links are some features i use to protect my servers/users from resource attacks:

grsecurity kernel patches (provides a full suite a kernel level security features. From fork() limiting to noexec stack and socket restrictions... to name a few.):
http://www.grsecurity.net

PAM Resource Limiting:
http://www.webhostingtalk.com/showthread.php?threadid=45887

Kernel.org (I like always having a stable & current release or one compatible with grsecurity - usualy the current.):
http://www.kernel.org

Snort IDS - it can be configured to detect specific types of code (e.g: forck() calls) being run over a tcp session (e.g: telnet, irc etc..).
http://www.snort.org

PureSecure (i use it to allow me to monitor all my servers in a central location - load, logs, snort alerts etc..)
http://www.demarc.com

P.S: excuse my spelling - iv gone and pulled another allnighter :cartman:

Thanks for the excellent info :D

no prob. now all i need is some sleep :eek:

anyone else got nifty ideas on fork bomb protection - or a 'different' aprouch of protection ?

I don't know who benefits from bombing us and Splash - maybe someone gets kicks out of it.

Some pretty good descriptions of fork bombs so far, the ones we have come accross tend to be simple CGI scripts with a few lines of code - the original script repeats itself, and each new instance repeats itself, clogging up the server and eventually bringing it to its knees.

We are now using some kernel patches and apache directives to try and prevent the fork bombs.

Regards
Matt

Im wondering, what type of patches are you using ?

:angry:

we have been getting fork bombed from brazil for the last two weeks, finally traced the ip.

the attacks have been anonymous ftp based.

wonder if denial of ip class at the router level would stop this trash.
since we have no customers in south america, excluding the class would not bother us a bit.

any ideas or success we have we will share.


g

How can one fork bomb your server by using anonymous FTP? :confused:

I assume they upload the fork bomb script using anonymous FTP.

:confused: ftp != forkbomb ?
i guess he just worded it wrong, ya he probly means they uploaded their script and ran it via apache possibly ?