The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
Frequently the consequence is a "flood" of connection or sessions.
Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.
Consider implementing a velocity check mechanism which would detect abusive behavior.
Consider load balancing as an option to handle heavy loads.
Make sure that resource handles are properly closed when no longer needed.
Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).
Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.