An attacker depletes a resource to the point that the target's functionality is affected. Virtually any resource necessary for the target's operation can be targeted in this attack. The result of a successful resource depletion attack is usually the degrading or denial of one or more services offered by the target. Resources required will depend on the nature of the resource to be depleted, the amount of the resource the target has access to, and other mitigating circumstances such as the target's ability to shift load, detect and mitigate resource depletion attacks, or acquire additional resources to deal with the depletion. The more protected the resource and the greater the quantity of it that must be consumed, the more resources the attacker will need to have at their disposal.
Allocation of Resources Without Limits or Throttling
The target must rely on a vulnerable resource for its operations and be unable to replace it in a reasonable amount of time if it is unavailable.
The attacker must have the ability to consume, destroy, or disrupt a resource required for normal operation of the target.
In order to deplete the target's resources the attacker must interact with the target in a programmatic way. Depending on the nature of the resource the attacker may need a client or script capable of making repeated requests over a network, or the ability to craft specific requests, such as an HTTP request containing thousands of slashes. If the attacker has some privileges on the system the required resource will likely be the ability to run a binary or upload a compiled exploit, or write and execute a script or program that consumes resources. Depending on the defenses of the targeted system, the attacker may need access to extensive computational and network resources in order to overwhelm the target.