An attacker depletes a resource to the point that the target's
functionality is affected. Virtually any resource necessary for the target's
operation can be targeted in this attack. The result of a successful resource
depletion attack is usually the degrading or denial of one or more services
offered by the target. Resources required will depend on the nature of the
resource to be depleted, the amount of the resource the target has access to,
and other mitigating circumstances such as the target's ability to shift load,
detect and mitigate resource depletion attacks, or acquire additional resources
to deal with the depletion. The more protected the resource and the greater the
quantity of it that must be consumed, the more resources the attacker will need
to have at their disposal.
The target must rely on a vulnerable resource for its operations and be
unable to replace it in a reasonable amount of time if it is
unavailable.
The attacker must have the ability to consume, destroy, or disrupt a
resource required for normal operation of the target.
Resources Required
In order to deplete the target's resources the attacker must interact with the
target in a programmatic way. Depending on the nature of the resource the
attacker may need a client or script capable of making repeated requests over a
network, or the ability to craft specific requests, such as an HTTP request
containing thousands of slashes. If the attacker has some privileges on the
system the required resource will likely be the ability to run a binary or
upload a compiled exploit, or write and execute a script or program that
consumes resources. Depending on the defenses of the targeted system, the
attacker may need access to extensive computational and network resources in
order to overwhelm the target.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
