CAPEC-130: Excessive Allocation
An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.
Last updated
Overview
CAPEC-130 (Excessive Allocation) is a meta-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The target must accept service requests from the attacker and the adversary must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the adversary to manipulate variables used in the allocation.
Resources required
- None: No specialized resources are required to execute this type of attack.
Consequences
What a successful CAPEC-130 attack can achieve.
Resource Consumption
Affects: Availability
A successful excessive allocation attack forces the target system to exhaust its resources, thereby compromising the availability of its service.
How to mitigate it
Defenses that reduce the risk of CAPEC-130.
- Limit the amount of resources that are accessible to unprivileged users.
- Assume all input is malicious. Consider all potentially relevant properties when validating input.
- Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
- Use resource-limiting settings, if possible.
Examples
In an Integer Attack, the adversary could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target.
Terminology & mappings
Mapped taxonomies
- ATTACK: Endpoint Denial of Service:Application Exhaustion Flood (1499.003)
- WASC: Denial of Service (10)
Frequently asked questions
Common questions about CAPEC-130.
- What is CAPEC-130?
- An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.
- How do you prevent CAPEC-130?
- Limit the amount of resources that are accessible to unprivileged users.
- What weaknesses does CAPEC-130 target?
- CAPEC-130 exploits 3 CWE weaknesses, including CWE-404 (Improper Resource Shutdown or Release), CWE-770 (Allocation of Resources Without Limits or Throttling), CWE-1325 (Improperly Controlled Sequential Memory Allocation).
- How severe is CAPEC-130?
- MITRE rates CAPEC-130 as Medium severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-130
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.