The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.
An application must make resources available to a client commensurate with the client's access level.
An application must, at all times, keep track of allocated resources and meter their usage appropriately.
Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
Sometimes this is a factor in "flood" attacks, but other types of amplification exist.
CVE-1999-0513Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.
CVE-2003-1564Parsing library allows XML bomb
CVE-2004-2458Tool creates directories before authenticating user.
CVE-2020-10735Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
CVE-2020-5243server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.