Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-406 (对网络消息容量的控制不充分(网络放大攻击)) — Vulnerability Class 11

11 vulnerabilities classified as CWE-406 (对网络消息容量的控制不充分(网络放大攻击)). AI Chinese analysis included.

CWE-406 represents a critical architectural weakness where software fails to adequately monitor or restrict the volume of network traffic it transmits. This flaw typically enables attackers to exploit the system as an amplifier in distributed denial-of-service (DDoS) campaigns. By sending small, legitimate-looking requests, adversaries trick the vulnerable application into generating disproportionately large responses to third-party targets, thereby exhausting network bandwidth and resources. Developers mitigate this risk by implementing strict rate-limiting policies and asymmetric resource controls that distinguish between normal user activity and potential amplification attacks. Enforcing quotas on outbound traffic per user or session ensures that no single actor can trigger excessive data transmission. Additionally, integrating robust monitoring systems allows for real-time detection of anomalous traffic patterns, enabling immediate throttling or blocking before the infrastructure suffers significant degradation or outage.

MITRE CWE Description
The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor. In the absence of a policy to restrict asymmetric resource consumption, the application or system cannot distinguish between legitimate transmissions and traffic intended to serve as an amplifying attack on target systems. Systems can often be configured to restrict the amount of traffic sent out on behalf of a client, based on the client's origin or access level. This is usually defined in a resource allocation policy. In the absence of a mechanism to keep track of transmissions, the system or application can be easily abused to transmit asymmetrically greater traffic than the request or client should be permitted to.
Common Consequences (1)
AvailabilityDoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
System resources can be quickly consumed leading to poor application performance or system crash. This may affect network performance and could be used to attack other systems and applications relying on network performance.
Mitigations (3)
Architecture and DesignAn application must make network resources available to a client commensurate with the client's access level.
PolicyDefine a clear policy for network resource allocation and consumption.
ImplementationAn application must, at all times, keep track of network resources and meter their usage appropriately.
Examples (1)
This code listens on a port for DNS requests and sends the result to the requesting address.
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind( (UDP_IP,UDP_PORT) ) while true: data = sock.recvfrom(1024) if not data: break (requestIP, nameToResolve) = parseUDPpacket(data) record = resolveName(nameToResolve) sendResponse(requestIP,record)
Bad · Python
CVE IDTitleCVSSSeverityPublished
CVE-2025-58066 DoS Vulnerability in ntpd-rs — ntpd-rs 5.3 Medium2025-08-29
CVE-2024-25015 IBM MQ denial of service — MQ 7.5 High2024-05-01
CVE-2014-125036 drybjed ansible-ntp main.yml amplification — ansible-ntp 2.6 Low2023-01-02
CVE-2022-0028 PAN-OS: Reflected Amplification Denial-of-Service (DoS) Vulnerability in URL Filtering — Cloud NGFW 8.6 High2022-08-10
CVE-2021-4234 OpenVPN 安全漏洞 — OpenVPN Access Server 7.5 -2022-07-06
CVE-2021-38429 OCI OpenDDS Secure Network Amplification — OpenDDS 6.6 Medium2022-05-05
CVE-2021-38425 eProsima Fast DDS Network Amplification — Fast DDS 7.5 High2022-05-05
CVE-2021-43547 TwinOaks Computing CoreDX DDS Secure Network Amplification — CoreDX DDS 7.5 High2022-05-05
CVE-2021-38487 Potential Network Amplification and Information Exposure in RTI Connext Professional and Connext Micro — Connext Professional 8.2 High2022-05-05
CVE-2019-14850 Libguestfs Nbdkit 安全漏洞 — nbdkit 7.5 -2021-03-18
CVE-2020-10772 Unbound 资源管理错误漏洞 — unbound 7.5 -2020-11-27

Vulnerabilities classified as CWE-406 (对网络消息容量的控制不充分(网络放大攻击)) represent 11 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.