[BradSwain]

This is a good point, but recursion and iteration have very different security implications in practice. Iterative functions are much harder to exploit.

It doesn't take many stack frames to overflow the stack. Java only handles ~10k frames by default. Most applications will have no problem with 10k loop iterations, and it might take millions to cause a notable slowdown. It is usually trivial to craft an input causing ~10k recursive calls, but an input causing millions of iterations is likely much harder. One example from the whitepaper that crashed a real application is a string repeated 20k times taking up ~200KB. To get to one million iterations the request would be ~20MB.

The failure modes also differ significantly. Recursion crashes the application with a stack overflow. Iteration just ties up a thread. Web frameworks often auto kill busy threads after timeout anyway.

You could argue that catching StackOverflow exceptions is a built in defense as well, but that only works for langauges that support catching such exceptions. Even among those languages, there are many DoS CVEs for crashes caused by stack overflows.