CWE•Class•Incomplete•1 recent CVE
CWE-410Insufficient Resource Pool
Description
The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
Frequently the consequence is a "flood" of connection or sessions.
Common consequences
- Availability,Integrity,Other→DoS: Crash, Exit, or Restart,OtherFloods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.
Potential mitigations
- Architecture and DesignDo not perform resource-intensive transactions for unauthenticated users and/or invalid requests.
- Architecture and DesignConsider implementing a velocity check mechanism which would detect abusive behavior.
- OperationConsider load balancing as an option to handle heavy loads.
- ImplementationMake sure that resource handles are properly closed when no longer needed.
- Architecture and DesignIdentify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).