LLM04: Model Denial of Service

LLM-Specific DoS Vectors

Traditional DoS floods a server with requests. LLM DoS is different — a single carefully crafted request can consume minutes of GPU time and megabytes of memory. Attack vectors include: (1) Maximum-length prompts with complex reasoning tasks. (2) Recursive tool-calling loops in agent frameworks. (3) Fan-out attacks where one request triggers dozens of LLM sub-calls. (4) Context window stuffing with repetitive content that's expensive to process.

Agent Loop Exhaustion

Autonomous agents (LangChain, AutoGPT, Cursor Agent Mode) execute multi-step workflows where each step involves an LLM call. An attacker can craft a task that creates an infinite loop — the agent calls a tool, processes the result, decides it needs more information, calls another tool, and so on. Without a maximum iteration limit, a single malicious request can consume unlimited compute.

Cost Amplification

With pay-per-token LLM APIs, DoS attacks directly translate to financial damage. An attacker who discovers an unprotected endpoint can generate thousands of dollars in API costs in minutes. This is especially dangerous for applications using GPT-4 or Claude at $15-60 per million tokens.

⚔️ Attack Examples & Code Patterns

# ❌ VULNERABLE — no iteration limit on agent loop
from langchain.agents import AgentExecutor

agent = AgentExecutor(agent=llm_agent, tools=tools)
# This task causes the agent to endlessly search and re-search
result = agent.run("Find the current stock price of every 
  company in the S&P 500 and verify each one is correct")
# Agent loops: search → verify → "not sure" → search again → ...

# ✅ SAFE — iteration limit + timeout
agent = AgentExecutor(
    agent=llm_agent,
    tools=tools,
    max_iterations=10,        # Hard cap on loops
    max_execution_time=30,    # 30-second timeout
    early_stopping_method="generate"
)

# ❌ VULNERABLE — no output token limit
response = openai.chat.completions.create(
    model="gpt-4",
    messages=[{"role": "user", "content": 
        "Write a detailed 50,000-word analysis of..."}],
    # No max_tokens set — model generates until context limit
)
# Cost: ~$3-5 per request at GPT-4 pricing

# ✅ SAFE — enforce output limits
response = openai.chat.completions.create(
    model="gpt-4",
    messages=[{"role": "user", "content": user_input}],
    max_tokens=1000,   # Hard limit on output
    timeout=15         # 15-second timeout
)

🔍 Detection Checklist

🛡️ Mitigation Strategy

Implement strict token limits for input and output. Apply rate limiting per user/API key. Set timeouts on LLM calls and agent execution loops. Monitor GPU/CPU usage and set cost alerts. Use request queuing with priority-based processing.