Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-405 (不对称的资源消耗(放大攻击)) — Vulnerability Class 33

33 vulnerabilities classified as CWE-405 (不对称的资源消耗(放大攻击)). AI Chinese analysis included.

CWE-405 represents an asymmetric resource consumption weakness where an attacker triggers disproportionate system resource usage without expending equivalent computational effort. This vulnerability is typically exploited through amplification attacks, such as reflection or protocol-based exploits, where a small input causes the system to generate a massive volume of responses or processing tasks. The resulting non-linear resource spike often leads to denial-of-service conditions, degrading performance for legitimate users or causing complete system crashes. To mitigate this risk, developers must implement strict rate limiting, enforce request quotas, and validate input complexity before processing. Additionally, employing resource caps, timeout mechanisms, and efficient algorithmic designs ensures that external inputs cannot disproportionately impact system stability, thereby maintaining availability and preventing attackers from leveraging asymmetry for disruptive effects.

MITRE CWE Description
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.
Common Consequences (1)
AvailabilityDoS: Amplification, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
Sometimes this is a factor in "flood" attacks, but other types of amplification exist.
Mitigations (3)
Architecture and DesignAn application must make resources available to a client commensurate with the client's access level.
Architecture and DesignAn application must, at all times, keep track of allocated resources and meter their usage appropriately.
System ConfigurationConsider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
Effectiveness: High
Examples (2)
This code listens on a port for DNS requests and sends the result to the requesting address.
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind( (UDP_IP,UDP_PORT) ) while true: data = sock.recvfrom(1024) if not data: break (requestIP, nameToResolve) = parseUDPpacket(data) record = resolveName(nameToResolve) sendResponse(requestIP,record)
Bad · Python
This function prints the contents of a specified file requested by a user.
function printFile($username,$filename){ //read file into string $file = file_get_contents($filename); if ($file && isOwnerOf($username,$filename)){ echo $file; return true; } else{ echo 'You are not authorized to view this file'; } return false; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2023-2992 Lenovo ThinkSystem 安全漏洞 — System Management Module (SMM) 7.5 High2023-06-26
CVE-2021-38447 OCI OpenDDS Secure Amplification — OpenDDS 8.6 High2022-05-05
CVE-2019-11479 Linux kernel 资源管理错误漏洞 — Linux kernel 7.5 -2019-06-18

Vulnerabilities classified as CWE-405 (不对称的资源消耗(放大攻击)) represent 33 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.