Resource Depletion
Category ID: 119Status: Draft
+ Description

Summary

An attacker depletes a resource to the point that the target's functionality is affected. Virtually any resource necessary for the target's operation can be targeted in this attack. The result of a successful resource depletion attack is usually the degrading or denial of one or more services offered by the target. Resources required will depend on the nature of the resource to be depleted, the amount of the resource the target has access to, and other mitigating circumstances such as the target's ability to shift load, detect and mitigate resource depletion attacks, or acquire additional resources to deal with the depletion. The more protected the resource and the greater the quantity of it that must be consumed, the more resources the attacker will need to have at their disposal.
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
404Improper Resource Shutdown or ReleaseTargeted
770Allocation of Resources Without Limits or ThrottlingTargeted
+ Attack Prerequisites

The target must rely on a vulnerable resource for its operations and be unable to replace it in a reasonable amount of time if it is unavailable.

The attacker must have the ability to consume, destroy, or disrupt a resource required for normal operation of the target.

+ Resources Required

In order to deplete the target's resources the attacker must interact with the target in a programmatic way. Depending on the nature of the resource the attacker may need a client or script capable of making repeated requests over a network, or the ability to craft specific requests, such as an HTTP request containing thousands of slashes. If the attacker has some privileges on the system the required resource will likely be the ability to run a binary or upload a compiled exploit, or write and execute a script or program that consumes resources. Depending on the defenses of the targeted system, the attacker may need access to extensive computational and network resources in order to overwhelm the target.

+ Relationships
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory343WASC Threat Classification 2.0 - WASC-10 - Denial of Service 
WASC Threat Classification 2.0333
ParentOfAttack PatternAttack Pattern82Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern125Resource Depletion through Flooding 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern130Resource Depletion through Allocation 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern131Resource Depletion through Leak 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern227Denial of Service through Resource Depletion 
Mechanism of Attack (primary)1000
MemberOfViewView1000Mechanism of Attack 
Mechanism of Attack1000