WEBVTT

0
00:01.380 --> 00:08.400
Hello, guys, in this video, I'll show you a very interesting attack of type Denial-of-service called

1
00:08.400 --> 00:15.810
fork bump or rabbit virus, pay special attention to it because it can be executed by a non-privileged

2
00:15.810 --> 00:20.980
user and can bring down and make unusable the entire Linux system.

3
00:21.960 --> 00:29.460
I can honestly say that it was a very unpleasant surprise for me to test it on the many Linux distributions

4
00:29.610 --> 00:32.250
and see that it works on all of them.

5
00:33.780 --> 00:39.880
In a matter of seconds and with only one line of code, a normal user will hack the system.

6
00:40.350 --> 00:47.760
Let's get started and see if the attack life, but please don't test it on a production system because

7
00:47.760 --> 00:52.890
it will make it unusable or on it in a vault or on a test system.

8
00:53.040 --> 00:54.770
To which you have physical access.

9
00:55.080 --> 01:03.690
Be prepared for a crash and a force reboot of your system. On the latest version of Ubuntu is a non-privileged

10
01:03.720 --> 01:04.230
user.

11
01:04.350 --> 01:05.900
And this is the key here.

12
01:06.360 --> 01:08.400
I'm creating a new Bash script.

13
01:11.470 --> 01:20.740
And inside the script, I'm adding a single line of code: $0  && $0 &

14
01:20.740 --> 01:23.310
And that's all.

15
01:24.040 --> 01:27.700
Don't worry, I'll explain it to you in detail later.

16
01:28.360 --> 01:36.640
Now I'm saving the file, setting the execution permission and running the script as usual.

17
01:41.140 --> 01:48.490
In a few seconds, the system will become unusable, I cannot even move the mouse anymore and there

18
01:48.490 --> 01:50.020
is no chance to stop it.

19
01:50.890 --> 01:54.000
I try to run the ls comment, but it doesn't work.

20
01:55.630 --> 02:03.940
The system has crashed, the script has caused resource starvation, crashing the system, the only

21
02:03.940 --> 02:10.440
way to get out of this is to force reboot the system using the power of or reboot button.

22
02:12.880 --> 02:18.010
I'm stopping the VM and then starting it again so I can regain access.

23
02:26.500 --> 02:30.520
I'm pausing the recording until it starts so I can log in.

24
02:37.620 --> 02:39.120
The system has restarted.

25
02:41.060 --> 02:44.720
Let's take a deeper look at the script and what has happened.

26
02:46.790 --> 02:47.780
This is the script.

27
02:49.030 --> 02:55.870
It performs a denial of service attack that makes use of the fork system call to create an infinite

28
02:55.870 --> 02:57.040
number of processes.

29
02:58.300 --> 03:06.670
So zero is a special variable that represents the script itself, so the script is running itself recursively

30
03:06.670 --> 03:10.860
two times and the is going in the background for another recursive call.

31
03:11.470 --> 03:13.660
It does this indefinitely.

32
03:14.080 --> 03:22.120
Ampersand at the end puts the process in the background so a new child processes cannot die at all and

33
03:22.120 --> 03:24.280
start eating the system resources.

34
03:25.110 --> 03:27.930
Let's see how to prevent such a fork bump.

35
03:29.200 --> 03:35.520
If you run ulimit -u, you will see the number of available processes for the current user.

36
03:35.770 --> 03:37.510
This value is very large.

37
03:38.170 --> 03:45.670
You can also run ulimit -a to see a lot of limits available to the shell and the processes it creates.

38
03:45.790 --> 03:47.920
To prevent the fork

39
03:47.920 --> 03:52.150
bomb we'll lower for the number of processes the user can start.

40
03:52.990 --> 04:00.850
The processes cannot continuously replicate themselves: as root I'm opening the following file:

41
04:01.210 --> 04:04.660
/etc/security/limits.conf

42
04:07.200 --> 04:18.390
And at the end, I'm adding the following line, the name of the user, student, hard, nproc and

43
04:18.390 --> 04:24.570
the value, for example, two thousand, this will limit the user processes to two thousand.

44
04:24.960 --> 04:28.260
Please don't set to low the ulimit numbers.

45
04:28.440 --> 04:32.160
By doing so, you will prevent the user from working on the system.

46
04:32.700 --> 04:41.190
And you can also add such a limit for a group as follows: @ the name of the group, for example, admins

47
04:42.630 --> 04:50.400
Hard, nproc and the value, for example, four thousand, I'm saving the file, the new limits will

48
04:50.400 --> 04:55.530
be available for new sessions, so I'm logging out and then logging in again.

49
05:05.760 --> 05:08.670
I'm opening a shell and running the script again.

50
05:13.310 --> 05:20.900
We see that the system is not becoming unavailable and we can work on it, see this message, which

51
05:20.900 --> 05:25.340
practically means that the shell is not allowed to create the new processes.

52
05:30.800 --> 05:33.060
But the system is not unusable.

53
05:34.220 --> 05:35.220
I can work on it.

54
05:36.020 --> 05:43.200
Congratulations, you've just mitigated the fork bomb attack on Linux and made your system more secure.