Table of Contents
Fetching ...

Beyond Max Tokens: Stealthy Resource Amplification via Tool Calling Chains in LLM Agents

Kaiyu Zhou, Yongsen Zheng, Yicheng He, Meng Xue, Xueluan Gong, Yuji Wang, Kwok-Yan Lam

TL;DR

The paper identifies the tool-calling layer of LLM agents as a major DoS surface and proposes a stealthy multi-turn resource-exhaustion attack. By transforming benign MCP servers into malicious variants via an automated MCTS-guided template optimization, the approach induces long, verbose, multi-turn tool-calling trajectories while preserving task correctness. Empirical evaluation across six LLMs and two tool-use benchmarks shows dramatic increases in token costs (up to 658x), energy (up to ~561x), and GPU KV-cache pressure, along with substantial throughput degradation, underscoring the severity of the threat. The work highlights the need to defend by monitoring the entire agentic process rather than final outputs, urging defense-by-behavior baselines and cost-aware constraints on the agent-tool loop.

Abstract

The agent-tool communication loop is a critical attack surface in modern Large Language Model (LLM) agents. Existing Denial-of-Service (DoS) attacks, primarily triggered via user prompts or injected retrieval-augmented generation (RAG) context, are ineffective for this new paradigm. They are fundamentally single-turn and often lack a task-oriented approach, making them conspicuous in goal-oriented workflows and unable to exploit the compounding costs of multi-turn agent-tool interactions. We introduce a stealthy, multi-turn economic DoS attack that operates at the tool layer under the guise of a correctly completed task. Our method adjusts text-visible fields and a template-governed return policy in a benign, Model Context Protocol (MCP)-compatible tool server, optimizing these edits with a Monte Carlo Tree Search (MCTS) optimizer. These adjustments leave function signatures unchanged and preserve the final payload, steering the agent into prolonged, verbose tool-calling sequences using text-only notices. This compounds costs across turns, escaping single-turn caps while keeping the final answer correct to evade validation. Across six LLMs on the ToolBench and BFCL benchmarks, our attack expands tasks into trajectories exceeding 60,000 tokens, inflates costs by up to 658x, and raises energy by 100-560x. It drives GPU KV cache occupancy from <1% to 35-74% and cuts co-running throughput by approximately 50%. Because the server remains protocol-compatible and task outcomes are correct, conventional checks fail. These results elevate the agent-tool interface to a first-class security frontier, demanding a paradigm shift from validating final answers to monitoring the economic and computational cost of the entire agentic process.

Beyond Max Tokens: Stealthy Resource Amplification via Tool Calling Chains in LLM Agents

TL;DR

The paper identifies the tool-calling layer of LLM agents as a major DoS surface and proposes a stealthy multi-turn resource-exhaustion attack. By transforming benign MCP servers into malicious variants via an automated MCTS-guided template optimization, the approach induces long, verbose, multi-turn tool-calling trajectories while preserving task correctness. Empirical evaluation across six LLMs and two tool-use benchmarks shows dramatic increases in token costs (up to 658x), energy (up to ~561x), and GPU KV-cache pressure, along with substantial throughput degradation, underscoring the severity of the threat. The work highlights the need to defend by monitoring the entire agentic process rather than final outputs, urging defense-by-behavior baselines and cost-aware constraints on the agent-tool loop.

Abstract

The agent-tool communication loop is a critical attack surface in modern Large Language Model (LLM) agents. Existing Denial-of-Service (DoS) attacks, primarily triggered via user prompts or injected retrieval-augmented generation (RAG) context, are ineffective for this new paradigm. They are fundamentally single-turn and often lack a task-oriented approach, making them conspicuous in goal-oriented workflows and unable to exploit the compounding costs of multi-turn agent-tool interactions. We introduce a stealthy, multi-turn economic DoS attack that operates at the tool layer under the guise of a correctly completed task. Our method adjusts text-visible fields and a template-governed return policy in a benign, Model Context Protocol (MCP)-compatible tool server, optimizing these edits with a Monte Carlo Tree Search (MCTS) optimizer. These adjustments leave function signatures unchanged and preserve the final payload, steering the agent into prolonged, verbose tool-calling sequences using text-only notices. This compounds costs across turns, escaping single-turn caps while keeping the final answer correct to evade validation. Across six LLMs on the ToolBench and BFCL benchmarks, our attack expands tasks into trajectories exceeding 60,000 tokens, inflates costs by up to 658x, and raises energy by 100-560x. It drives GPU KV cache occupancy from <1% to 35-74% and cuts co-running throughput by approximately 50%. Because the server remains protocol-compatible and task outcomes are correct, conventional checks fail. These results elevate the agent-tool interface to a first-class security frontier, demanding a paradigm shift from validating final answers to monitoring the economic and computational cost of the entire agentic process.
Paper Structure (23 sections, 9 equations, 2 figures, 5 tables, 1 algorithm)

This paper contains 23 sections, 9 equations, 2 figures, 5 tables, 1 algorithm.

Figures (2)

  • Figure 1: Overview of our tool-layer DoS framework. Left: agent under no attack calls a benign MCP server and answers concisely. Middle: a universal malicious template is produced via auto-modification by an LLM and refined by MCTS while keeping protocol compatibility. Right: under our attack, the agent repeatedly calls the same tool with a segment index and a length argument, creating a resource-consumption loop while preserving the final task result.
  • Figure 2: ASR versus the per-turn calibration sequence length $L$ under a fixed max completion $M{=}16{,}384$.