Resource Depletion through Allocation
Attack Pattern ID: 130 (Standard Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

An attacker causes the target to allocate excessive resources to servicing the attacker's request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request. For example, using an Integer Attack, the attacker could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target.

+ Attack Prerequisites

The target must accept service requests from the attacker and the attacker must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the attacker to manipulate variables used in the allocation.

+ Resources Required

No special resources are required for this attack beyond the ability of the attacker to have the target service requests.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
770Allocation of Resources Without Limits or ThrottlingTargeted
404Improper Resource Shutdown or ReleaseTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory119Resource Depletion 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern228Resource Depletion through DTD Injection in a SOAP Message 
Mechanism of Attack (primary)1000