DoS (Denial of Service)
A denial-of-service vulnerability lets an attacker make a service unavailable to legitimate users — by consuming CPU, memory, bandwidth, or state.
Definition
Denial of Service (DoS) is the umbrella class for vulnerabilities whose impact is loss of availability rather than confidentiality or integrity. The attacker exhausts a resource the service needs — CPU, memory, file descriptors, network bandwidth, connection state, database connections, log volume — until legitimate requests no longer succeed.
CVE assignment for DoS is contentious. Network-level flooding is rarely tracked as a CVE (it is treated as a deployment / DDoS-defence problem). Application-level resource exhaustion that lets a single attacker pin a service with bounded effort, however, is a CVE-track issue: algorithmic-complexity attacks (ReDoS, hash collision), zip bombs, billion-laughs, decompression bombs, slowloris.
How it works
Attack-specific. ReDoS triggers worst-case regex backtracking. Zip bombs unpack to gigabytes. Slowloris keeps thousands of HTTP connections open with one byte per minute. SYN floods exhaust the kernel's connection-state table. Hash-collision attacks degrade `O(1)` lookups to `O(n)` by feeding inputs that collide on the hash table's chosen hash.
Impact
Service unavailability. Combined with insufficient autoscaling, sometimes a financial impact via runaway cloud bills.
Mitigation
Set explicit resource limits on every parser: input size caps, recursion depth caps, decompression-ratio caps. Use linear-time algorithms in code paths reachable from untrusted input. Rate-limit per IP and per principal. Deploy upstream protection (a CDN with DDoS mitigation) for network-level attacks.
Examples
- CVE-2023-44487 — HTTP/2 Rapid Reset DoS across the web ecosystem.