CWE-406 Class Incomplete

Insufficient Control of Network Message Volume (Network Amplification)

This vulnerability occurs when a system fails to properly limit the amount of network traffic it can generate in response to a request, allowing an attacker to abuse it to send a disproportionately…

Definition

What is CWE-406?

This vulnerability occurs when a system fails to properly limit the amount of network traffic it can generate in response to a request, allowing an attacker to abuse it to send a disproportionately large volume of data.
Without clear limits on how much traffic a single user or request can trigger, a system cannot tell the difference between normal operations and an attack designed to amplify traffic. Attackers exploit this by sending small, seemingly innocent requests that force the system to generate massive, overwhelming responses. This turns the vulnerable application into an unwitting participant in a denial-of-service attack against other targets. To prevent this, systems need a defined resource policy that tracks and caps outgoing transmissions based on client identity, privilege, or request type. Implementing such controls—like rate limiting, traffic quotas, or monitoring for abnormal response sizes—ensures that no single entity can commandeer your network resources to launch an amplified attack.
Real-world impact

Real-world CVEs caused by CWE-406

  • CVE-1999-0513

    Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.

  • CVE-1999-1379

    DNS query with spoofed source address causes more traffic to be returned to spoofed address than was sent by the attacker.

  • CVE-2000-0041

    Large datagrams are sent in response to malformed datagrams.

  • CVE-1999-1066

    Game server sends a large amount.

  • CVE-2013-5211

    composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.

How attackers exploit it

Step-by-step attacker path

  1. 1

    Identify a code path that handles untrusted input without validation.

  2. 2

    Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.

  3. 3

    Deliver the payload through a normal request and observe the application's reaction.

  4. 4

    Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable Python

This code listens on a port for DNS requests and sends the result to the requesting address.

Vulnerable Python 
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  sock.bind( (UDP_IP,UDP_PORT) )
  while true:
  		data = sock.recvfrom(1024)
  		if not data:
  			break
  		(requestIP, nameToResolve) = parseUDPpacket(data)
  		record = resolveName(nameToResolve)
  		sendResponse(requestIP,record)
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-406

  • Architecture and Design An application must make network resources available to a client commensurate with the client's access level.
  • Policy Define a clear policy for network resource allocation and consumption.
  • Implementation An application must, at all times, keep track of network resources and meter their usage appropriately.
Detection signals

How to detect CWE-406

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-406 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-406?

This vulnerability occurs when a system fails to properly limit the amount of network traffic it can generate in response to a request, allowing an attacker to abuse it to send a disproportionately large volume of data.

How serious is CWE-406?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-406?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-406?

An application must make network resources available to a client commensurate with the client's access level. Define a clear policy for network resource allocation and consumption.

How does Plexicus detect and fix CWE-406?

Plexicus's SAST engine matches the data-flow signature for CWE-406 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-406?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/406.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-406

CWE-405 Parent

Asymmetric Resource Consumption (Amplification)

This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory,…

CWE-1050 Sibling

Excessive Platform Resource Consumption within a Loop

This vulnerability occurs when a loop contains code that repeatedly consumes critical system resources like file handles, database…

CWE-1072 Sibling

Data Resource Access without Use of Connection Pooling

This weakness occurs when an application creates a new database connection for every request instead of using a managed connection pool.…

CWE-1073 Sibling

Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses

This weakness occurs when a client-side function or method makes an excessive number of individual data requests through a non-SQL data…

CWE-1084 Sibling

Invokable Control Element with Excessive File or Data Access Operations

This weakness occurs when a single function or method performs an excessive number of file or database operations, such as repeated reads,…

CWE-1089 Sibling

Large Data Table with Excessive Number of Indices

This weakness occurs when an application uses a database table with a very large number of rows and creates too many indexes on it,…

CWE-1094 Sibling

Excessive Index Range Scan for a Data Resource

This weakness occurs when a database query performs an index range scan that can access an unnecessarily large number of rows from a…

CWE-1176 Sibling

Inefficient CPU Computation

This weakness occurs when software uses inefficient algorithms or suboptimal CPU operations, performing unnecessary or overly complex…

CWE-407 Sibling

Inefficient Algorithmic Complexity

This vulnerability occurs when a software component uses an algorithm with poor worst-case performance. An attacker can exploit this by…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.