HoT-TAI-0004: Denial of Service (DoS)

Summary:

• CWE-400 Uncontrolled Resource Consumption (Resource Exhaustion) The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended. Limited resources include memory, file system storage, database connection pool entries, or CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources. This would prevent valid users from accessing the software, and it could potentially have an impact on the surrounding environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system.Resource exhaustion problems have at least two common causes, 1) Error conditions and other exceptional circumstances; 2) Confusion over which part of the program is responsible for releasing the resource.¹ See also:

• CWE-410 Insufficient Resource Pool (Flood)

• CWE-769 File Descriptor Exhaustion

• CWE-770 Allocation of Resources Without Limits or Throttling

• CWE-771 Missing Reference to Active Allocated Resource

• CWE-772 Missing Release of Resource after Effective Lifetime

• CWE-779 Logging of Excessive Data

• CWE-920 Improper Restriction of Power Consumption

• CWE-399 Resource Management Error

Estimated Overall Risk Assessment: HIGH

• Technical Impacts: HIGH

  • The most common result of resource exhaustion is denial of service. The software may slow down, crash due to unhandled errors, or lock out legitimate users.

• Business Impacts: HIGH

  • Availability of the device and/or data could be completely denied.The specific business impacts are wide ranging, but could result in loss of life or severe financial loss in some critical systems.

• Detectability: EASY

• Prevalence: COMMON

• Exploitability: EASY

Attack Surfaces Grouped By Layer of Cyberspace

• Physical Network Layer
  • Device Firmware
  • Device Memory
  • Local Data Storage
  • Sensors
  • Device Network Services
  • Administrative Interface
  • Device Web Interface
  • Ecosystem Communications
  • Mobile Application
• Logical Network Layer
  • Vendor Backend APIs
  • 3rd Party Backend APIs
  • Cloud Web Interface

Known Intrusion / Exploit / Attack Cases and Threats

• Brickerbot
  • Description: Dictionary / Bruteforce password attacks against services/interfaces such as Telnet. Access is followed by a DoS of the local device. Target: IoT devices running the BusyBox toolkit.²
• Linux.Darlloz
  • Description: A worm that exploits a php-cgi vulnerability (CVE-2012-1823;input validation/injection). Subsequently conducts a DoS on the local device by deleting files and dropping packets destined to certain ports (e.g. Telnet); a backdoor is then created which waits for commands.Target: Routers, IP cameras, DVR/set-top boxes and other vulnerable IoT devices.³

Identify, Detect, Protect, Respond, and Recover (NIST FICIC)

TBD

Analysis Tools and Training

TBD

Associated CVEs / Manufacturers / Devices

Use this link to identify the latest resource management error vulnerabilities. This search query is not specific to the IoT.

Use this link to identify the latest file descriptor exhaustion vulnerabilities. This search query is not specific to the IoT.

Use this link to identify the latest resource exhaustion vulnerabilities. This search query is not specific to the IoT.

References

1. https://cwe.mitre.org/data/definitions/400.html
2. https://www.theregister.co.uk/2017/04/08/brickerbot_malware_kills_iot_devices/
3. https://www.cyber.nj.gov/threat-profiles/botnet-variants/imeij