RepetitionCurse: Measuring and Understanding Router Imbalance in Mixture-of-Experts LLMs under DoS Stress
Ruixuan Huang, Qingyue Wang, Hantao Huang, Yudong Gao, Dong Chen, Shuai Wang, Wei Wang
TL;DR
This work reveals a fundamental routing imbalance vulnerability in Mixture-of-Experts LLMs employing expert parallelism, where adversarial, repetitive prompts can force tokens to the same top-$k$ experts, creating bottlenecks and causing substantial latency increases (up to $3.063\times$ on Mixtral-8x7B). It introduces RepetitionCurse, a black-box attack that requires no gradient access or search, and evaluates it across 14 MoE models with a formal framework that includes a theoretical bottleneck bound $TMI$ and a coverage metric. The empirical findings show significant latency amplification at higher EP, side-channel signals enabling deployment-property inference, and a broad vulnerability surface across commonly used MoE configurations. The paper also proposes defense mechanisms—perplexity-based anomaly detection and vulnerability-aware load balancing—and discusses the practical implications for deploying sparse MoE models in production in a way that preserves SLA-bound latency and protects privacy. Overall, RepetitionCurse highlights an urgent need for inference-aware routing balance strategies as MoE models scale in industry deployments.
Abstract
Mixture-of-Experts architectures have become the standard for scaling large language models due to their superior parameter efficiency. To accommodate the growing number of experts in practice, modern inference systems commonly adopt expert parallelism to distribute experts across devices. However, the absence of explicit load balancing constraints during inference allows adversarial inputs to trigger severe routing concentration. We demonstrate that out-of-distribution prompts can manipulate the routing strategy such that all tokens are consistently routed to the same set of top-$k$ experts, which creates computational bottlenecks on certain devices while forcing others to idle. This converts an efficiency mechanism into a denial-of-service attack vector, leading to violations of service-level agreements for time to first token. We propose RepetitionCurse, a low-cost black-box strategy to exploit this vulnerability. By identifying a universal flaw in MoE router behavior, RepetitionCurse constructs adversarial prompts using simple repetitive token patterns in a model-agnostic manner. On widely deployed MoE models like Mixtral-8x7B, our method increases end-to-end inference latency by 3.063x, degrading service availability significantly.
