CWE-405: Asymmetric Resource Consumption (Amplification)
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
扩展描述
This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.
常见后果
影响范围: Availability
技术影响: DoS: Amplification DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other)
说明: Sometimes this is a factor in "flood" attacks, but other types of amplification exist.
潜在缓解措施
阶段: Architecture and Design
描述: An application must make resources available to a client commensurate with the client's access level.
阶段: Architecture and Design
描述: An application must, at all times, keep track of allocated resources and meter their usage appropriately.
阶段: System Configuration
描述: Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
有效性: High
观察示例
参考: CVE-1999-0513
Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.
参考: CVE-2003-1564
Parsing library allows XML bomb
参考: CVE-2004-2458
Tool creates directories before authenticating user.
参考: CVE-2020-10735
Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
参考: CVE-2020-5243
server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
参考: CVE-2013-5211
composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.
参考: CVE-2002-20001
Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation.
参考: CVE-2022-40735
The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
| Operation | - |
适用平台
编程语言
操作系统
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Asymmetric resource consumption (amplification) | - |
| OWASP Top Ten 2004 | A9 | Denial of Service | CWE More Specific |
| WASC | 41 | XML Attribute Blowup | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | TPS00-J | Use thread pools to enable graceful degradation of service during traffic bursts | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | FIO04-J | Release resources when they are no longer needed | - |