Table of Contents
Fetching ...

ReasoningBomb: A Stealthy Denial-of-Service Attack by Inducing Pathologically Long Reasoning in Large Reasoning Models

Xiaogeng Liu, Xinyan Wang, Yechao Zhang, Sanjay Kariyappa, Chong Xiang, Muhao Chen, G. Edward Suh, Chaowei Xiao

TL;DR

This work formalizes Prompt-Induced Inference-Time Denial-of-Service (PI-DoS) attacks on Large Reasoning Models (LRMs) and introduces ReasoningBomb, a reinforcement-learning framework that uses a constant-time surrogate reward to optimize short, semantically coherent prompts that drive LRMs into pathologically long reasoning. The authors prove three core properties—amplification, stealthiness, and optimizability—that any practical PI-DoS attack must satisfy and show that existing methods fail to satisfy all three simultaneously. ReasoningBomb employs a two-stage training pipeline (supervised fine-tuning plus GRPO RL), a length predictor to provide constant-time feedback, and a diversity term to maintain prompt variety, achieving strong attack effectiveness (e.g., average amplification up to 286.69× at 128-token budgets) while remaining hard to detect. Through extensive experiments on ten victim models and real-world server simulations, the paper demonstrates substantial potential for real-world impact, including significant throughput degradation with modest malicious traffic, and offers defense strategies such as KV-cache reuse and defensive red-teaming. The findings highlight critical security considerations for LRMs and guide future defenses against worst-case inference-cost exploitation.

Abstract

Large reasoning models (LRMs) extend large language models with explicit multi-step reasoning traces, but this capability introduces a new class of prompt-induced inference-time denial-of-service (PI-DoS) attacks that exploit the high computational cost of reasoning. We first formalize inference cost for LRMs and define PI-DoS, then prove that any practical PI-DoS attack should satisfy three properties: (1) a high amplification ratio, where each query induces a disproportionately long reasoning trace relative to its own length; (ii) stealthiness, in which prompts and responses remain on the natural language manifold and evade distribution shift detectors; and (iii) optimizability, in which the attack supports efficient optimization without being slowed by its own success. Under this framework, we present ReasoningBomb, a reinforcement-learning-based PI-DoS framework that is guided by a constant-time surrogate reward and trains a large reasoning-model attacker to generate short natural prompts that drive victim LRMs into pathologically long and often effectively non-terminating reasoning. Across seven open-source models (including LLMs and LRMs) and three commercial LRMs, ReasoningBomb induces 18,759 completion tokens on average and 19,263 reasoning tokens on average across reasoning models. It outperforms the the runner-up baseline by 35% in completion tokens and 38% in reasoning tokens, while inducing 6-7x more tokens than benign queries and achieving 286.7x input-to-output amplification ratio averaged across all samples. Additionally, our method achieves 99.8% bypass rate on input-based detection, 98.7% on output-based detection, and 98.4% against strict dual-stage joint detection.

ReasoningBomb: A Stealthy Denial-of-Service Attack by Inducing Pathologically Long Reasoning in Large Reasoning Models

TL;DR

This work formalizes Prompt-Induced Inference-Time Denial-of-Service (PI-DoS) attacks on Large Reasoning Models (LRMs) and introduces ReasoningBomb, a reinforcement-learning framework that uses a constant-time surrogate reward to optimize short, semantically coherent prompts that drive LRMs into pathologically long reasoning. The authors prove three core properties—amplification, stealthiness, and optimizability—that any practical PI-DoS attack must satisfy and show that existing methods fail to satisfy all three simultaneously. ReasoningBomb employs a two-stage training pipeline (supervised fine-tuning plus GRPO RL), a length predictor to provide constant-time feedback, and a diversity term to maintain prompt variety, achieving strong attack effectiveness (e.g., average amplification up to 286.69× at 128-token budgets) while remaining hard to detect. Through extensive experiments on ten victim models and real-world server simulations, the paper demonstrates substantial potential for real-world impact, including significant throughput degradation with modest malicious traffic, and offers defense strategies such as KV-cache reuse and defensive red-teaming. The findings highlight critical security considerations for LRMs and guide future defenses against worst-case inference-cost exploitation.

Abstract

Large reasoning models (LRMs) extend large language models with explicit multi-step reasoning traces, but this capability introduces a new class of prompt-induced inference-time denial-of-service (PI-DoS) attacks that exploit the high computational cost of reasoning. We first formalize inference cost for LRMs and define PI-DoS, then prove that any practical PI-DoS attack should satisfy three properties: (1) a high amplification ratio, where each query induces a disproportionately long reasoning trace relative to its own length; (ii) stealthiness, in which prompts and responses remain on the natural language manifold and evade distribution shift detectors; and (iii) optimizability, in which the attack supports efficient optimization without being slowed by its own success. Under this framework, we present ReasoningBomb, a reinforcement-learning-based PI-DoS framework that is guided by a constant-time surrogate reward and trains a large reasoning-model attacker to generate short natural prompts that drive victim LRMs into pathologically long and often effectively non-terminating reasoning. Across seven open-source models (including LLMs and LRMs) and three commercial LRMs, ReasoningBomb induces 18,759 completion tokens on average and 19,263 reasoning tokens on average across reasoning models. It outperforms the the runner-up baseline by 35% in completion tokens and 38% in reasoning tokens, while inducing 6-7x more tokens than benign queries and achieving 286.7x input-to-output amplification ratio averaged across all samples. Additionally, our method achieves 99.8% bypass rate on input-based detection, 98.7% on output-based detection, and 98.4% against strict dual-stage joint detection.
Paper Structure (34 sections, 11 theorems, 30 equations, 9 figures, 12 tables)

This paper contains 34 sections, 11 theorems, 30 equations, 9 figures, 12 tables.

Key Result

Lemma 3

For fixed input length $L_{\text{in}}$, the provider cost increases monotonically with the amplification ratio $\mathcal{A}$. Specifically, under the simplified cost model, the provider cost satisfies: where $\frac{\partial C}{\partial \mathcal{A}} = b L_{\text{in}}^2 (1 + 2\mathcal{A}) > 0$. Thus, higher amplification ratios directly translate to higher provider costs.

Figures (9)

  • Figure 1: Illustration of Prompt-Induced Inference-Time Denial-of-Service (PI-DoS) threat model. Adversaries craft malicious prompts that induce pathologically long reasoning traces compared to benign users who receive normal responses. PI-DoS exploits subscription-based models (e.g., ChatGPT Plus, SuperGrok) where users pay fixed fees while providers bear variable costs scaling with the model's reasoning length. By launching attacks from multiple accounts, adversaries inflict disproportionate financial harm, exhaust computational resources, and degrade service quality of the model providers.
  • Figure 2: Reasoning token statistics across all models and datasets.
  • Figure 3: Amplification analysis (averaged across victim models). Our method (green stars; 128/256/512 budgets) consistently occupies the upper-right region, achieving long completion/reasoning with short prompts compared to baselines.
  • Figure 4: Correlation between our surrogate length predictor and actual victim generation length.
  • Figure 5: Response time comparison between our constant-time surrogate reward and direct target model feedback. The cumulative time cost of model-feedback-driven optimization grows approximately as an $O(n^2)$ function of the attack queries, which is the fatal shortcoming existing PI-DoS attacks have (summarized in Tab. \ref{['tab:existing-works-analysis-short']}).
  • ...and 4 more figures

Theorems & Definitions (11)

  • Lemma 3: Amplification implies cost
  • Proposition 5: Short prompts yield high amplification: Fixed budget
  • Proposition 6: Short prompts yield high amplification: Window filling
  • Corollary 2: Short prompts maximize provider cost under window filling
  • Theorem 5: Optimality of short prompts for PI-DoS
  • Proposition 7: Detectability via distributional shift
  • Lemma 4: Decomposition into prompt and response shifts
  • Theorem 6: Necessity of stealthiness for effective PI-DoS
  • Theorem 7: Superiority of optimization-based attacks
  • Proposition 8: Self-defeating feedback in PI-DoS optimization
  • ...and 1 more