CAPEC-130
Excessive Allocation
Moyen
Moyen
Stable
2014-06-23
00h00 +00:00
00h00 +00:00
2020-12-17
00h00 +00:00
00h00 +00:00
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Descriptions du CAPEC
An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.
Informations du CAPEC
Conditions préalables
The target must accept service requests from the attacker and the adversary must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the adversary to manipulate variables used in the allocation.Ressources nécessaires
None: No specialized resources are required to execute this type of attack.Atténuations
Limit the amount of resources that are accessible to unprivileged users.Assume all input is malicious. Consider all potentially relevant properties when validating input.
Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Use resource-limiting settings, if possible.
Faiblesses connexes
| Nom de la faiblesse | |
|---|---|
CWE-404 |
Improper Resource Shutdown or Release The product does not release or incorrectly releases a resource before it is made available for re-use. |
CWE-770 |
Allocation of Resources Without Limits or Throttling The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. |
CWE-1325 |
Improperly Controlled Sequential Memory Allocation The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects. |
Soumission
| Nom | Organisation | Date | Date de publication |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Examples-Instances, Injection_Vector, Payload, Payload_Activation_Impact, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit | |
| CAPEC Content Team | The MITRE Corporation | Updated Resources_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses, Taxonomy_Mappings |
