Asymmetric Resource Consumption (Amplification)| ID: 405 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Class |
Description
Software that does not appropriately monitor or control
resource consumption can lead to adverse system
performance.
Extended DescriptionThis situation is amplified if the software allows malicious users or
attackers to consume more resources than their access level permits.
Exploiting such a weakness can lead to asymmetric resource consumption,
aiding in amplification attacks against the system or the network.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Operation
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Availability | DoS: amplificationDoS: resource consumption
(other) | Sometimes this is a factor in "flood" attacks, but other types of
amplification exist. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | An application must make resources available to a client commensurate
with the client's access level. | | |
| Architecture and Design | | An application must, at all times, keep track of allocated resources
and meter their usage appropriately. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-405 ChildOf CWE-907 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Asymmetric resource consumption
(amplification) | |
| OWASP Top Ten 2004 | A9 | Denial of Service | CWE_More_Specific |
| WASC | 41 | XML Attribute Blowup | |
| CERT Java Secure Coding | TPS00-J | Use thread pools to enable graceful degradation of service
during traffic bursts | |
| CERT Java Secure Coding | FIO04-J | Release resources when they are no longer
needed | |
References:None
