An attacker causes the target to allocate excessive resources to servicing
the attacker's request, thereby reducing the resources available for
legitimate services and degrading or denying services. Usually, this attack
focuses on memory allocation, but any finite resource on the target could be
the attacked, including bandwidth, processing cycles, or other resources.
This attack does not attempt to force this allocation through a large number
of requests (that would be Resource Depletion through Flooding) but instead
uses one or a small number of requests that are carefully formatted to force
the target to allocate excessive resources to service this request(s). Often
this attack takes advantage of a bug in the target to cause the target to
allocate resources vastly beyond what would be needed for a normal request.
For example, using an Integer Attack, the attacker could cause a variable
that controls allocation for a request to hold an excessively large value.
Excessive allocation of resources can render a service degraded or
unavailable to legitimate users and can even lead to crashing of the
target.
Attack Prerequisites
The target must accept service requests from the attacker and the attacker
must be able to control the resource allocation associated with this request
to be in excess of the normal allocation. The latter is usually accomplished
through the presence of a bug on the target that allows the attacker to
manipulate variables used in the allocation.
Resources Required
No special resources are required for this attack beyond the ability of the
attacker to have the target service requests.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
