Uncontrolled Resource Consumption

Description

Uncontrolled Resource Consumption occurs when a product does not properly control the allocation and maintenance of limited resources, allowing an attacker to influence the amount of resources consumed and potentially exhaust them. Limited resources include memory, CPU cycles, file descriptors, network connections, disk space, and database connections. When attackers can trigger unlimited resource allocation without proper controls, they can cause denial of service by exhausting available resources, preventing legitimate users from accessing the system.

Risk

Resource consumption attacks are among the most common denial of service vectors. Attackers need minimal resources to trigger massive consumption on the target. "Slowloris" attacks exhaust web server connections with slow requests. Algorithmic complexity attacks exploit inefficient operations to consume CPU. Memory exhaustion attacks allocate memory faster than it can be freed. Recent vulnerabilities in industrial control systems (EFACEC), printing services (CUPS), and network equipment (Arista) demonstrate that this weakness affects critical infrastructure. Resource exhaustion can cascade, bringing down dependent services and entire systems.

Solution

Implement strict limits on resource allocation per user, session, and request. Use timeouts for all operations that consume resources. Implement rate limiting to prevent rapid resource allocation. Set connection limits, request size limits, and query complexity limits. Use resource pools with fixed maximum sizes. Monitor resource consumption and implement alerting. Apply input validation to prevent algorithmic complexity attacks. Configure systems to fail gracefully rather than crash when resources are exhausted.

Common Consequences

Impact	Details
Availability	Scope: Denial of Service Resource exhaustion prevents legitimate users from accessing services, causing system unavailability.
System Stability	Scope: System Crash Uncontrolled resource consumption can crash processes or entire systems.
Financial	Scope: Resource Costs In cloud environments, resource exhaustion attacks can generate significant computing costs.

Example Code + Solution Code

Vulnerable Code

# VULNERABLE: No limit on file upload size
@app.route('/upload', methods=['POST'])
def upload():
    # Attacker can upload huge files, filling disk
    file = request.files['file']
    file.save(f'/uploads/{file.filename}')
    return 'OK'

# VULNERABLE: No timeout on external requests
def fetch_url(url):
    # Slow server can tie up connection indefinitely
    response = requests.get(url)  # No timeout!
    return response.text

# VULNERABLE: Unbounded list in memory
def process_items(item_ids):
    # Attacker sends millions of IDs
    results = []
    for id in item_ids:  # No limit on item_ids length
        results.append(fetch_item(id))
    return results

// VULNERABLE: Unbounded regex causing ReDoS
public boolean validateEmail(String email) {
    // Evil regex - exponential backtracking
    return email.matches("^([a-z]+)+@[a-z]+\\.[a-z]+$");
}

// VULNERABLE: No connection limit
ServerSocket server = new ServerSocket(8080);
while (true) {
    // Each connection uses a thread - can exhaust threads
    Socket client = server.accept();
    new Thread(() -> handleClient(client)).start();
}

Fixed Code

from flask import Flask, request
import requests
from functools import wraps
import time

# SAFE: Limit upload size
app = Flask(__name__)
app.config['MAX_CONTENT_LENGTH'] = 16 * 1024 * 1024  # 16 MB limit

@app.route('/upload', methods=['POST'])
def upload_safe():
    file = request.files['file']

    # Additional validation
    if file.content_length > app.config['MAX_CONTENT_LENGTH']:
        return 'File too large', 413

    file.save(f'/uploads/{secure_filename(file.filename)}')
    return 'OK'

# SAFE: Timeout on all external requests
def fetch_url_safe(url):
    try:
        response = requests.get(url, timeout=10)  # 10 second timeout
        return response.text
    except requests.Timeout:
        return None

# SAFE: Limit on batch processing
MAX_BATCH_SIZE = 100

def process_items_safe(item_ids):
    # Limit number of items processed
    if len(item_ids) > MAX_BATCH_SIZE:
        raise ValueError(f"Batch size exceeds limit of {MAX_BATCH_SIZE}")

    results = []
    for id in item_ids:
        results.append(fetch_item(id))
    return results

# SAFE: Rate limiting decorator
def rate_limit(max_per_minute):
    def decorator(f):
        calls = []
        @wraps(f)
        def wrapper(*args, **kwargs):
            now = time.time()
            calls[:] = [c for c in calls if c > now - 60]
            if len(calls) >= max_per_minute:
                raise RateLimitExceeded()
            calls.append(now)
            return f(*args, **kwargs)
        return wrapper
    return decorator

@rate_limit(max_per_minute=60)
def api_endpoint():
    return process_request()

// SAFE: Linear regex without backtracking
public boolean validateEmailSafe(String email) {
    // Simple regex without catastrophic backtracking
    return email.matches("^[a-z]+@[a-z]+\\.[a-z]+$");
}

// SAFE: Thread pool with fixed size
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;

ExecutorService executor = Executors.newFixedThreadPool(100);  // Max 100 threads

ServerSocket server = new ServerSocket(8080);
while (true) {
    Socket client = server.accept();
    executor.submit(() -> {
        try {
            handleClient(client);
        } finally {
            client.close();
        }
    });
}

Exploited in the Wild

EFACEC QC Industrial Systems (EFACEC, 2026)

CVE-2026-22542 affects EFACEC QC 60/90/120 industrial systems where establishing just two concurrent Telnet connections exhausts resources, causing denial of service with minimal effort.

https://www.cisa.gov/ics

OpenPrinting CUPS Slowloris (CUPS, 2025)

CVE-2025-58436 allows attackers to cause DoS against CUPS printing services by sending data one byte per second, blocking the cupsd daemon due to lack of timeout handling.

https://openprinting.github.io/

HTTP/2 Rapid Reset Attack (Multiple, 2023)

CVE-2023-44487 exploited HTTP/2's stream reset mechanism to generate massive numbers of requests, overwhelming servers. This affected nearly all HTTP/2 implementations globally.

https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack

Tools to test/exploit

slowloris — slow HTTP DoS testing tool.
wrk — HTTP benchmarking for load testing.
ReDoS Checker — test regex for catastrophic backtracking.

CVE Examples

CVE-2023-44487 — HTTP/2 Rapid Reset DDoS attack.
CVE-2025-58436 — CUPS slow request DoS.
CVE-2021-45046 — Log4j2 resource consumption in lookups.

References

MITRE. "CWE-400: Uncontrolled Resource Consumption." https://cwe.mitre.org/data/definitions/400.html
OWASP. "Denial of Service." https://owasp.org/www-community/attacks/Denial_of_Service