CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5417 vulnerabilities reference this CWE, most recent first.
GHSA-RCG3-496J-9XC6
Vulnerability from github – Published: 2022-09-03 00:00 – Updated: 2022-09-09 00:00Denial of service in multimedia due to uncontrolled resource consumption while parsing an incoming HAB message in Snapdragon Auto
{
"affected": [],
"aliases": [
"CVE-2022-22101"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-02T12:15:00Z",
"severity": "MODERATE"
},
"details": "Denial of service in multimedia due to uncontrolled resource consumption while parsing an incoming HAB message in Snapdragon Auto",
"id": "GHSA-rcg3-496j-9xc6",
"modified": "2022-09-09T00:00:49Z",
"published": "2022-09-03T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22101"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/july-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCHP-G55P-PR44
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44SoftCo with software V200R003C20,eSpace U1910 with software V200R003C00, V200R003C20 and V200R003C30,eSpace U1911 with software V200R003C20, V200R003C30,eSpace U1930 with software V200R003C20 and V200R003C30,eSpace U1960 with software V200R003C20, V200R003C30,eSpace U1980 with software V200R003C20, V200R003C30,eSpace U1981 with software V200R003C20 and V200R003C30 have an denial of service (DoS) vulnerability, which allow an attacker with specific permission to craft a file containing malicious data and upload it to the device to exhaust memory, causing a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2017-2690"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-22T19:29:00Z",
"severity": "MODERATE"
},
"details": "SoftCo with software V200R003C20,eSpace U1910 with software V200R003C00, V200R003C20 and V200R003C30,eSpace U1911 with software V200R003C20, V200R003C30,eSpace U1930 with software V200R003C20 and V200R003C30,eSpace U1960 with software V200R003C20, V200R003C30,eSpace U1980 with software V200R003C20, V200R003C30,eSpace U1981 with software V200R003C20 and V200R003C30 have an denial of service (DoS) vulnerability, which allow an attacker with specific permission to craft a file containing malicious data and upload it to the device to exhaust memory, causing a DoS condition.",
"id": "GHSA-rchp-g55p-pr44",
"modified": "2022-05-13T01:44:54Z",
"published": "2022-05-13T01:44:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2690"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170111-01-parser-en"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95382"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCJH-H6HV-XWCC
Vulnerability from github – Published: 2022-01-11 00:01 – Updated: 2022-09-21 00:00Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.
{
"affected": [],
"aliases": [
"CVE-2020-9060"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-10T14:10:00Z",
"severity": "MODERATE"
},
"details": "Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.",
"id": "GHSA-rcjh-h6hv-xwcc",
"modified": "2022-09-21T00:00:40Z",
"published": "2022-01-11T00:01:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9060"
},
{
"type": "WEB",
"url": "https://doi.org/10.1109/ACCESS.2021.3138768"
},
{
"type": "WEB",
"url": "https://github.com/CNK2100/VFuzz-public"
},
{
"type": "WEB",
"url": "https://ieeexplore.ieee.org/document/9663293"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/142629"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/142629"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCR6-5574-8Q33
Vulnerability from github – Published: 2025-08-22 18:31 – Updated: 2025-08-22 18:31Incorrect access control in the RTMP server settings of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to cause a Denial of Service (DoS) via initiating a large number of simultaneous ffmpeg-based stream pushes.
{
"affected": [],
"aliases": [
"CVE-2025-55634"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-22T17:15:35Z",
"severity": "HIGH"
},
"details": "Incorrect access control in the RTMP server settings of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to cause a Denial of Service (DoS) via initiating a large number of simultaneous ffmpeg-based stream pushes.",
"id": "GHSA-rcr6-5574-8q33",
"modified": "2025-08-22T18:31:24Z",
"published": "2025-08-22T18:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55634"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/306.html"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/400.html"
},
{
"type": "WEB",
"url": "https://relieved-knuckle-264.notion.site/RTMP-Injection-DoS-through-Unauthenticated-Stream-Publish-23c437003642800297c8c128b6117885?pvs=74"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCXV-VMJ3-3MJ9
Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-04 18:31Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection.
This vulnerability is due to an error in the JSTokenizer normalization logic when the HTTP inspection normalizes JavaScript. An attacker could exploit this vulnerability by sending crafted HTTP packets through an established connection that is parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine restarts unexpectedly. JSTokenizer is not enabled by default.
{
"affected": [],
"aliases": [
"CVE-2026-20066"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T18:16:21Z",
"severity": "MODERATE"
},
"details": "Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection.\n\nThis vulnerability is due to an error in the JSTokenizer normalization logic when the HTTP inspection normalizes JavaScript. An attacker could exploit this vulnerability by sending crafted HTTP packets through an established connection that is parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine restarts unexpectedly. JSTokenizer is not enabled by default.",
"id": "GHSA-rcxv-vmj3-3mj9",
"modified": "2026-03-04T18:31:55Z",
"published": "2026-03-04T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20066"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-multi-dos-XFWkWSwz"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RF6C-M595-CVC8
Vulnerability from github – Published: 2025-02-10 21:31 – Updated: 2025-02-11 15:32The issue was addressed with improved memory handling. This issue is fixed in iOS 17.4 and iPadOS 17.4, Safari 17.4, tvOS 17.4, watchOS 10.4, visionOS 1.1, macOS Sonoma 14.4. Processing web content may lead to a denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2024-54658"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-10T19:15:39Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved memory handling. This issue is fixed in iOS 17.4 and iPadOS 17.4, Safari 17.4, tvOS 17.4, watchOS 10.4, visionOS 1.1, macOS Sonoma 14.4. Processing web content may lead to a denial-of-service.",
"id": "GHSA-rf6c-m595-cvc8",
"modified": "2025-02-11T15:32:22Z",
"published": "2025-02-10T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54658"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120881"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120882"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120883"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120893"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120894"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120895"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RF6Q-VX79-MJXR
Vulnerability from github – Published: 2022-05-25 00:00 – Updated: 2025-06-12 16:03A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.39.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.40.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.10.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.2.11.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3629"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T22:41:25Z",
"nvd_published_at": "2022-05-24T19:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.",
"id": "GHSA-rf6q-vx79-mjxr",
"modified": "2025-06-12T16:03:19Z",
"published": "2022-05-25T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3629"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
},
{
"type": "PACKAGE",
"url": "https://github.com/undertow-io/undertow"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220729-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undertow Uncontrolled Resource Consumption"
}
GHSA-RFG2-PJW2-56X2
Vulnerability from github – Published: 2026-05-29 20:18 – Updated: 2026-05-29 20:18Impact
DNSCache._async_add inserted every response record into cache, _expirations, _expire_heap, and service_cache with no cap on entry count. The only pre-existing protection was a PTR TTL floor (_DNS_PTR_MIN_TTL = 1125 s, RFC 6762 §10), which actually prolonged attacker-injected records, and a periodic async_expire on _CACHE_CLEANUP_INTERVAL = 10 s that could not keep up with a flood.
Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can multicast valid mDNS responses with unique names (RFC 6762 §11 allows up to 253 bytes each) and watch them accumulate. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, every cache lookup and every periodic expiry pass grows linearly slower, starving asyncio and breaking unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks). A second variant — re-multicasting cached records with shifting TTLs — grows _expire_heap unbounded between cleanup runs without touching cache or _total_records.
Patches
Fixed in zeroconf 0.149.6 (PR #1718). Upgrade to >= 0.149.6.
Workarounds
There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.
Resources
- PR #1718, fix
- Issue #1715, public tracking issue
- RFC 6762 §10, RFC 6762 §11, CWE-400
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "zeroconf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.149.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47184"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T20:18:53Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`DNSCache._async_add` inserted every response record into `cache`, `_expirations`, `_expire_heap`, and `service_cache` with no cap on entry count. The only pre-existing protection was a PTR TTL floor (`_DNS_PTR_MIN_TTL = 1125` s, RFC 6762 \u00a710), which actually *prolonged* attacker-injected records, and a periodic `async_expire` on `_CACHE_CLEANUP_INTERVAL = 10` s that could not keep up with a flood.\n\nAny unauthenticated host on the local link (UDP/5353, `224.0.0.251` / `ff02::fb`) can multicast valid mDNS responses with unique names (RFC 6762 \u00a711 allows up to 253 bytes each) and watch them accumulate. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, every cache lookup and every periodic expiry pass grows linearly slower, starving asyncio and breaking unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks). A second variant \u2014 re-multicasting cached records with shifting TTLs \u2014 grows `_expire_heap` unbounded between cleanup runs without touching `cache` or `_total_records`.\n\n### Patches\n\nFixed in `zeroconf` 0.149.6 ([PR #1718](https://github.com/python-zeroconf/python-zeroconf/pull/1718)). Upgrade to `\u003e= 0.149.6`.\n\n### Workarounds\n\nThere is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.\n\n### Resources\n\n- [PR #1718](https://github.com/python-zeroconf/python-zeroconf/pull/1718), fix\n- [Issue #1715](https://github.com/python-zeroconf/python-zeroconf/issues/1715), public tracking issue\n- [RFC 6762 \u00a710](https://www.rfc-editor.org/rfc/rfc6762#section-10), [RFC 6762 \u00a711](https://www.rfc-editor.org/rfc/rfc6762#section-11), [CWE-400](https://cwe.mitre.org/data/definitions/400.html)",
"id": "GHSA-rfg2-pjw2-56x2",
"modified": "2026-05-29T20:18:53Z",
"published": "2026-05-29T20:18:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/security/advisories/GHSA-rfg2-pjw2-56x2"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/issues/1715"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/pull/1718"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-zeroconf/python-zeroconf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood"
}
GHSA-RFH2-62GC-X7HW
Vulnerability from github – Published: 2023-04-03 21:32 – Updated: 2023-04-11 18:30The Twitter Recommendation Algorithm through ec83d01 allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023.
{
"affected": [],
"aliases": [
"CVE-2023-29218"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-03T21:15:00Z",
"severity": "HIGH"
},
"details": "The Twitter Recommendation Algorithm through ec83d01 allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023.",
"id": "GHSA-rfh2-62gc-x7hw",
"modified": "2023-04-11T18:30:28Z",
"published": "2023-04-03T21:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29218"
},
{
"type": "WEB",
"url": "https://github.com/twitter/the-algorithm/issues/1386"
},
{
"type": "WEB",
"url": "https://github.com/twitter/the-algorithm/tree/ec83d01dcaebf369444d75ed04b3625a0a645eb9"
},
{
"type": "WEB",
"url": "https://steventey.com/blog/twitter-algorithm"
},
{
"type": "WEB",
"url": "https://twitter.com/Kaptain_Kobold/status/1642379706925477888"
},
{
"type": "WEB",
"url": "https://twitter.com/aakashg0/status/1641976913165180929"
},
{
"type": "WEB",
"url": "https://twitter.com/elonmusk/status/1642324821324230657"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RFJG-2MJ6-JHMM
Vulnerability from github – Published: 2023-09-15 18:30 – Updated: 2024-04-04 07:42Control de Ciber, in its 1.650 version, is affected by a Denial of Service condition through the version function. Sending a malicious request could cause the server to check if an unrecognized component is up to date, causing a memory failure error that shuts down the process.
{
"affected": [],
"aliases": [
"CVE-2022-48474"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-12T08:15:13Z",
"severity": "HIGH"
},
"details": "Control de Ciber, in its 1.650 version, is affected by a Denial of Service condition through the version function. Sending a malicious request could cause the server to check if an unrecognized component is up to date, causing a memory failure error that shuts down the process.",
"id": "GHSA-rfjg-2mj6-jhmm",
"modified": "2024-04-04T07:42:26Z",
"published": "2023-09-15T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48474"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-control-de-ciber"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.