327 – Set a rate limit

Summary

The server must have a rate limit to control interaction frequency.

Description

Several attacks depend on executing a huge amount of requests from a single host. For instance, it is possible to exhaust a server's connection pool with a single essential by using asynchronous requests, effectively causing a Denial of Service (DoS). These and other attacks, such as the ones depending on brute force, can be thwarted, or severely hindered, by limiting the number of requests that a single host can send to the server in a short period of time. Therefore, server settings should include a rate limit that considers a regular request flow between a host and the server.

Supported In

Essential: True

Advanced: True

References

• CAPEC-49. Password brute forcing
• CAPEC-125. Flooding
• CAPEC-130. Excessive allocation
• CWE-307. Improper restriction of excessive authentication attempts
• CWE-770. Allocation of resources without limits or throttling
• CWE-799. Improper control of interaction frequency
• OWASP10-A4. Insecure design
• AGILE-11. Best architectures, requirements, and designs
• IEC62443-RA-7_1. Denial of service protection
• WASSEC-6_2_1_1. Authentication - Brute force
• OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
• WASC-A_11. Brute force
• WASC-A_10. Denial of service
• WASC-A_34. Predictable resource location
• ISSAF-E_22. Network security - Switch security assessment (layer 2 port authentication)
• ISSAF-H_14_13. Network security - Intrusion detection (detection engine)
• ISSAF-P_4. Host security - Linux security (identify ports and services)
• ISSAF-Q_8_6_1. Host security - Windows security (brute force passwords or remote attack)
• ISSAF-T_11_1. Web application assessment - Brute force attack
• ISSAF-T_16_2. Web application assessment - Input Validation (test buffer overflow)
• NIST800115-4_2. Network port and service identification
• ASVS-5_1_2. Input validation
• ASVS-11_1_2. Business logic security
• ASVS-11_1_3. Business logic security
• ASVS-11_1_4. Business logic security
• CASA-5_1_2. Input Validation
• CASA-11_1_4. Business Logic Security
• OWASPLLM-LLM10:2025. Unbounded Consumption

Weaknesses

• 108 – Improper control of interaction frequency
• 122 – Email flooding
• 211 – Asymmetric denial of service - ReDoS
• 231 – Message flooding
• 252 – Automatic information enumeration - Open ports
• 253 – Automatic information enumeration - AWS
• 254 – Automatic information enumeration - Credit Cards
• 330 – Lack of protection against brute force attacks - Credentials
• 356 – Symmetric denial of service - SMTP
• 357 – Symmetric denial of service - FTP
• 423 – Inappropriate coding practices - System exit
• 442 – SMTP header injection
• 002 – Asymmetric denial of service
• 003 – Symmetric denial of service
• 047 – Automatic information enumeration
• 053 – Lack of protection against brute force attacks
• 057 – Asymmetric denial of service - Content length

Last updated

2025/06/17