Read Time:1 Minute, 11 Second
Description
The software’s resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
Frequently the consequence is a “flood” of connection or sessions.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
CWE-664
CWE-400
Consequences
Availability, Integrity, Other: DoS: Crash, Exit, or Restart, Other
Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.
Potential Mitigations
Phase: Architecture and Design
Description:
Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.
Phase: Architecture and Design
Description:
Consider implementing a velocity check mechanism which would detect abusive behavior.
Phase: Operation
Description:
Consider load balancing as an option to handle heavy loads.
Phase: Implementation
Description:
Make sure that resource handles are properly closed when no longer needed.
Phase: Architecture and Design
Description:
Identify the system’s resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).
CVE References
- CVE-1999-1363
- Large number of locks on file exhausts the pool and causes crash.
- CVE-2001-1340
- Product supports only one connection and does not disconnect a user who does not provide credentials.
- CVE-2002-0406
- Large number of connections without providing credentials allows connection exhaustion.
