TID-405: Network Stack Resource Exhaustion
Threat Description
Remote connections and communications can consume various device resources (e.g., network stack buffers, packet processing, socket connections) that, if exhausted, could lead to the device entering an unresponsive state. A threat actor may attempt to intentionally cause this by sending either repetitive or specially crafted messages to a device to consume resources and cause the device to become unresponsive. The unresponsive state will typically continue for at least the duration of the attack. In some cases it may persist until the device is reset or rebooted, which may require physical operator presence.
Threat Maturity and Evidence
Observed Adversary Technique
ATT&CK Technique: Service Stop (T0881)
Procedure Example: Industroyer2 (S1072)
”Killing the ‘PService_PDD.exe’ service causes the interruption of any existing communication with target IEC-104 servers, which usually supports at most one active connection at a time. Having interrupted existing connections, Industroyer2 is free to connect to the targets.” This action will prevent other devices from connecting to the IEC-104 servers for as long as the Industroyer2 connection is active.
Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability
“Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to immediately crash the IGMP process or make it consume available memory and eventually crash.”
CWE
CWE-400: Uncontrolled Resource Consumption
“The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.”
CWE-410: Insufficient Resource Pool
“The product’s resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.”