Weakness reference
CWE-405

Asymmetric Resource Consumption (Amplification)

This weakness occurs when a small, inexpensive action by an attacker triggers a much larger consumption of server resources, creating a denial-of-service…

01Summary

This weakness occurs when a small, inexpensive action by an attacker triggers a much larger consumption of server resources, creating a denial-of-service opportunity. The attacker expends minimal effort or bandwidth while the target system burns through CPU, memory, disk I/O, or network capacity. Unlike brute-force attacks that require sustained volume, amplification attacks achieve impact through disproportionate leverage.

02How It Happens

Amplification vulnerabilities arise when an application performs expensive operations in response to cheap user input without rate limiting, resource quotas, or validation. Common patterns include:

- Recursive or cascading operations:
A single request triggers multiple internal lookups, database queries, or file operations. - Unvalidated resource requests:
An attacker requests large data exports, file downloads, or report generation without authentication or size limits. - Algorithmic complexity:
Input designed to trigger worst-case performance in sorting, searching, or parsing routines (e.g., regex denial of service, hash collisions). - Third-party amplification:
The application forwards requests to external services without rate limiting, allowing an attacker to exhaust both the target and upstream resources. - Unbounded loops or recursion:
User-controlled parameters control iteration depth or data set size without validation.

The core issue is asymmetry: the attacker's cost is negligible, but the server's cost is high.

03Real-World Impact

Successful amplification attacks can render a service unavailable to legitimate users. A single attacker may consume enough resources to crash the application, exhaust database connections, fill disk space, or saturate network bandwidth. Unlike volumetric DDoS attacks that require botnets, amplification attacks can be launched from a single machine, making them attractive to attackers with limited infrastructure. Recovery often requires manual intervention, and the attack may go unnoticed until performance degrades significantly.

04Vulnerable & Fixed Patterns

Vulnerable pattern
from flask import Flask, request
import sqlite3

app = Flask(__name__)

@app.route('/export')
def export_data():
    user_id = request.args.get('user_id')
    conn = sqlite3.connect('app.db')
    cursor = conn.cursor()
    
    # No limit on query size; attacker can request all records
    cursor.execute('SELECT * FROM logs WHERE user_id = ?', (user_id,))
    rows = cursor.fetchall()
    
    # Generate large report in memory
    report = '\n'.join([str(row) for row in rows])
    return report

Why it's vulnerable:
An attacker can request export of a user ID with millions of log entries, forcing the server to fetch, process, and return enormous amounts of data in a single request. No pagination, size limit, or rate limiting prevents repeated requests from exhausting memory and I/O.

Fixed pattern
from flask import Flask, request
import sqlite3

app = Flask(__name__)
MAX_ROWS = 1000
REQUESTS_PER_MINUTE = 10

@app.route('/export')
def export_data():
    user_id = request.args.get('user_id')
    page = int(request.args.get('page', 1))
    
    # Check rate limit (simplified; use a proper rate-limiting library)
    # ... rate limit check ...
    
    conn = sqlite3.connect('app.db')
    cursor = conn.cursor()
    
    # Paginate results
    offset = (page - 1) * MAX_ROWS
    cursor.execute(
        'SELECT * FROM logs WHERE user_id = ? LIMIT ? OFFSET ?',
        (user_id, MAX_ROWS, offset)
    )
    rows = cursor.fetchall()
    
    return {'data': rows, 'page': page}
Vulnerable pattern
<?php
$user_id = $_GET['user_id'];

// No limit on query or file size
$query = "SELECT * FROM logs WHERE user_id = '$user_id'";
$result = mysqli_query($conn, $query);

$csv = "id,timestamp,action\n";
while ($row = mysqli_fetch_assoc($result)) {
    $csv .= implode(',', $row) . "\n";
}

header('Content-Type: text/csv');
echo $csv;
?>

Why it's vulnerable:
An attacker can request export of a user with millions of log entries, forcing the server to build an enormous CSV in memory and transmit it. No pagination, size limits, or rate limiting prevents repeated requests from exhausting resources.

Fixed pattern
<?php
$user_id = $_GET['user_id'];
$page = isset($_GET['page']) ? (int)$_GET['page'] : 1;
$per_page = 500;

// Check rate limit (simplified; use a proper library)
if (!check_rate_limit($_SERVER['REMOTE_ADDR'], 5)) {
    http_response_code(429);
    die('Too many requests');
}

$offset = ($page - 1) * $per_page;
$query = "SELECT * FROM logs WHERE user_id = ? LIMIT ? OFFSET ?";
$stmt = $conn->prepare($query);
$stmt->bind_param('sii', $user_id, $per_page, $offset);
$stmt->execute();
$result = $stmt->get_result();

header('Content-Type: application/json');
echo json_encode(['data' => $result->fetch_all(MYSQLI_ASSOC), 'page' => $page]);
?>

05Prevention Checklist

Implement pagination and result limits
for all data export, search, and reporting endpoints; enforce a maximum number of rows or bytes per request.
Add rate limiting
per IP address or authenticated user; reject requests that exceed a reasonable threshold (e.g., 5–10 per minute for expensive operations).
Validate input size and complexity
before processing; reject queries with excessive depth, recursion, or iteration counts.
Set timeouts
on long-running operations (database queries, file processing, external API calls); kill requests that exceed a threshold.
Monitor resource usage
(CPU, memory, disk I/O, database connections); alert on unusual spikes or sustained high consumption.
Use asynchronous processing
for expensive operations; queue large exports or reports and deliver results via email or download link rather than blocking the request.

06Signs You May Already Be Affected

Watch for sudden spikes in CPU or memory usage following specific user requests, unexplained database connection exhaustion, or disk space filling rapidly. Check application logs for repeated requests to export, search, or reporting endpoints from a single IP address or user account. Monitor error logs for timeout or out-of-memory exceptions that correlate with specific API calls.

07Related Recent Vulnerabilities