Asymmetric resource consumption (amplification)

Last revision (mm/dd/yy): //

Description
Asymmetric resource consumption consists in an attacker forcing a web application to consume excessive resources when the application fails to release, or incorrectly releases, a system resource.

Risk Factors
TBD

Example 1
The following method never closes the file handle it opens. The Finalize method for StreamReader eventually calls Close, but there is no guarantee how long it is going to take before the Finalize method is invoked. In fact, there is no guarantee that Finalize will ever be invoked. In a busy environment, this can result in using up all available file handles. private void processFile(string fName) { StreamWriter sw = new StreamWriter(fName); string line; while ((line = sr.ReadLine) != null) processLine(line); } After using up all handles (file descriptors) the application may become very unstable, slow, or may stop working, significantly impacting the applications usability.

Example 2
Under normal conditions, the following C# code executes a database query, processes the results returned by the database, and closes the allocated SqlConnection object. If an exception occurs while executing the SQL, or processing the results, the code does not close the SqlConnection object. If this happens enough times, the database runs out of available cursors and is not able to execute any more queries.

C# Example: ... SqlConnection conn = new SqlConnection(connString); SqlCommand cmd = new SqlCommand(queryString); cmd.Connection = conn; conn.Open; SqlDataReader rdr = cmd.ExecuteReader; HarvestResults(rdr); conn.Connection.Close; ... The number of concurent connections to the databases is often lower than maximum number of possible handles for the system to use. This allows application bottlenecks to negatively impact or stop the application.

Example 3
If an application can handle N concurent connections and does not implement an appropriate mechanism to disconnect clients (e.g. TIMEOUTs), it becomes very easy to adversely affect the application by simply establishing close to N connections. Additionally, those multiple connections could be used to simulate interaction with the application until exhaustion of available resources.

Related Threat Agents

 * TBD

Related Attacks

 * Denial of Service
 * Account lockout attack

Related Vulnerabilities

 * Resource Exhaustion

Related Controls

 * Memory Management
 * Resource Locking