CAPEC-130 Excessive Allocation

CAPEC ID: 130

CAPEC-130 Metadata

Likelihood of Attack

Medium

Typical Severity

Medium

Overview

Summary

An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.

Prerequisites

The target must accept service requests from the attacker and the adversary must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the adversary to manipulate variables used in the allocation.

Potential Solutions / Mitigations

Limit the amount of resources that are accessible to unprivileged users. Assume all input is malicious. Consider all potentially relevant properties when validating input. Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed. Use resource-limiting settings, if possible.

Related Weaknesses (CWE)

CWE ID Description
CWE-404 Improper Resource Shutdown or Release
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-1325 Improperly Controlled Sequential Memory Allocation

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID Entry Name
1499.003 Endpoint Denial of Service:Application Exhaustion Flood

Taxonomy: WASC

Entry ID Entry Name
10 Denial of Service

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.