An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

How do you prevent CAPEC-227?

Potential mitigations include requiring a unique login for each resource request, constraining local unprivileged access by disallowing simultaneous engagements of the resource, or limiting access to the resource to one access per IP address. In such scenarios, the adversary would have to increase engagements either by launching multiple sessions manually or programmatically to counter such defenses.

What weaknesses does CAPEC-227 target?

CAPEC-227 exploits 1 CWE weakness, including CWE-400 (Uncontrolled Resource Consumption).

CAPEC-227: Sustained Client Engagement

The degree to which the attack is successful depends upon the adversary's ability to sustain resource requests over time with a volume that exceeds the normal usage by legitimate users, as well as other mitigating circumstances such as the target's ability to shift load or acquire additional resources to deal with the depletion. This attack differs from a flooding attack as it is not entirely dependent upon large volumes of requests, and it differs from resource leak exposures which tend to exploit the surrounding environment needed for the resource to function. The key factor in a sustainment attack are the repeated requests that take longer to process than usual.

CAPEC-227: Sustained Client Engagement

Overview

What the attacker needs

Prerequisites

Resources required

How to mitigate it

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-227?

How do you prevent CAPEC-227?

What weaknesses does CAPEC-227 target?

References

Defend against CAPEC-227

Overview

What the attacker needs

Prerequisites

Resources required

How to mitigate it

Related weaknesses

Related attack patterns

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-227?

How do you prevent CAPEC-227?

What weaknesses does CAPEC-227 target?

References

Defend against CAPEC-227