Corgea LogoCorgea Security Hub

CWE-770: Allocation of Resources Without Limits or Throttling

Learn about CWE-770 (Allocation of Resources Without Limits or Throttling), its security impact, exploitation methods, and prevention guidelines.

What is Allocation of Resources Without Limits or Throttling?

• Overview: Allocation of Resources Without Limits or Throttling is a vulnerability where a system allocates resources without setting limits, allowing excessive consumption that can violate security policies and lead to performance issues.

• Exploitation Methods:

  • Attackers can exploit this by making numerous requests or requesting large resources to exhaust system resources.
  • Common attack patterns include Denial of Service (DoS) attacks where attackers overwhelm the system to degrade or halt its services.

• Security Impact:

  • Direct consequences include resource exhaustion, leading to system slowdowns or crashes.
  • Potential cascading effects include denial of service to legitimate users and potential system instability.
  • Business impact can involve loss of revenue, decreased customer trust, and potential regulatory penalties.

• Prevention Guidelines:

  • Implement resource quotas and limits to control the amount of resources allocated.
  • Employ rate limiting and request throttling to manage incoming requests.
  • Use recommended tools and frameworks that provide built-in resource management features.

Corgea can automatically detect and fix Allocation of Resources Without Limits or Throttling in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

import socket
import threading

def handle_client(client_socket):
    while True:
        request = client_socket.recv(1024)
        if not request:
            break
        client_socket.send(b"ACK")  # Echo back the received data

def start_server():
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.bind(('0.0.0.0', 9999))
    server.listen(5)
    print("Server listening on port 9999")

    while True:
        client_socket, addr = server.accept()
        print(f"Accepted connection from {addr}")
        client_handler = threading.Thread(target=handle_client, args=(client_socket,))
        client_handler.start()  # No limit on the number of threads

start_server()

Explanation:

  • Unbounded Thread Creation: The server creates a new thread for each incoming connection without any limit, potentially leading to resource exhaustion if too many connections are established simultaneously.
  • CWE-770 Violation: This lack of throttling can result in denial of service, as the server may run out of resources (e.g., memory, CPU) due to excessive thread creation.

How to fix Allocation of Resources Without Limits or Throttling?

To fix this vulnerability:

  1. Implement Connection Throttling: Limit the number of concurrent threads to prevent resource exhaustion.
  2. Use Thread Pools: Instead of creating a new thread for each connection, use a thread pool to manage a finite number of worker threads.
  3. Monitor and Log Resource Usage: Keep track of the number of active connections and log when limits are approached or exceeded.

Fixed Code Example

import socket
from concurrent.futures import ThreadPoolExecutor

def handle_client(client_socket):
    try:
        while True:
            request = client_socket.recv(1024)
            if not request:
                break
            client_socket.send(b"ACK")
    finally:
        client_socket.close()  # Ensure the socket is closed when done

def start_server():
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.bind(('0.0.0.0', 9999))
    server.listen(5)
    print("Server listening on port 9999")

    # Using a thread pool with a maximum of 10 concurrent threads
    with ThreadPoolExecutor(max_workers=10) as executor:
        while True:
            client_socket, addr = server.accept()
            print(f"Accepted connection from {addr}")
            executor.submit(handle_client, client_socket)  # Use thread pool

start_server()

Explanation:

  • ThreadPoolExecutor: This is used to manage a pool of threads, limiting the number of concurrent connections to 10, which helps prevent resource exhaustion.
  • Graceful Socket Closure: Ensures the socket is closed after handling each client, freeing up resources properly.
  • Resource Management: By limiting resources and using a managed pool, the server remains resilient against denial of service attacks due to resource exhaustion, adhering to best practices for resource management in concurrent server applications.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-770: Allocation of Resources Without Limits or Throttling and get remediation guidance

Start for free and no credit card needed.