Mitigation-page

MID-080: Network Request Processing Limits

Mitigation Tier: Foundational

Description

A device can be susceptible to denial-of-service when its ability to process network messages and requests is overwhelmed by a threat actor, causing device resources (e.g., processing, memory, bandwidth, ports, etc.) to be exhausted and leading it to become unresponsive. The effect is magnified when asymmetries exist allowing small messages, which are inexpensive for an attacker to generate, lead to expensive response processing on the device.

Technical mechanisms to implement this mitigation can include timeout functions that will return/cancel request processing after a set amount of time after the request is made, limiting the overall bandwidth that a device will process, constraining the number of active connections a device will support, instituting request queue management and prioritization, or separating request handler code paths so that resource limits can be imposed on them. These mechanisms can work together to ensure that the network protocol handlers and services remain responsive, and that no one handler, or source of traffic, can monopolize all system processing resources.

If protocol designs allow for it, expensive operations should not be performed as a result of unauthenticated or pre-authentication messages (MID-034 - Authenticate Network Traffic), constraining threat actors’ access to easily access the most exhaustible resources.

Note: Device creators should take care to ensure that the processing limits do not become the target of denial-of-service attacks themselves. For example, if a device only allows one connection at a time, threat actors may try to occupy that connection, preventing legitimate users from communicating.

Limitation: Device-level mitigations cannot cope with flooding attacks that simply overwhelm the bandwidth capacity of the device’s network link. In this case, upstream network devices must impose appropriate rate limits.

IEC 62443 4-2 Mappings

  • CR 7.1 – Denial of service protection

  • CR 7.2 – Resource management

References

[1] Cloudflare. “What is Rate limiting? | Rate limiting and bots.” cloudflare.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.cloudflare.com/learning/bots/what-is-rate-limiting/

[2] MITRE. “Limit Access to Resource Over Network.” mitre.org. Accessed: Aug. 28, 2024. [Online.] Available: https://attack.mitre.org/mitigations/M1035/