An attacker can send a limited number of messages that obtain a resource on the system. The commands are typically valid, but they each use up a resource resulting in a single Clientobtaining all resources blocking valid Clientsfrom accessing the Server. For example, on a Serverin which only 10 Sessionsare available a malicious person using a legitimate Client, might obtain all 10 Sessions. Or a malicious Clientmight try to open 10 secure channels, without actually completing the process.

Resource exhaustion attacks do not occur in the same manner for PubSubcommunications since no session or resources are allocated. For PubSubcommunication, the Publisheris not susceptible. In broker-less PubSubcommunication, the Subscribercan, with the use of filters, bypass any resource exhaustion issues. In broker case, both the Publisherand Subscribermust connect to the broker. Although the Publisherand Subscriberare not directly susceptible (as in the broker-less case), the broker is susceptible. The details for broker communication is not part of OPC UA but is defined by the broker protocol.