Model Denial of Service
Model Denial of Service 是什么?
Model Denial of ServiceOWASP LLM04 — driving an LLM application into runaway resource consumption (long contexts, infinite loops, expensive tool fan-out) so it slows, becomes unavailable, or generates a ruinous cloud bill.
Model Denial of Service (LLM04 in the OWASP Top 10 for LLM Applications) covers attacks that exhaust the resources behind an LLM-powered system rather than knock down a network. Specific patterns include flooding the model with maximum-context inputs to drive up token cost; crafting recursive or self-referential prompts that trigger long generations; abusing tool-calling agents to cascade dozens of expensive sub-calls; submitting inputs that defeat caching; and exploiting retrieval pipelines to pull massive documents into every request. The blast radius is operational (the chatbot becomes unusable) and financial (a single attacker can burn five- or six-figure inference bills in hours). Mitigations include strict per-user input/output token caps, max-step limits on agent loops, semantic and exact-match caching, rate-limit on tool fan-out, async queueing with budget guards, and observability dashboards keyed to spend per tenant.
● 示例
- 01
An attacker scripts thousands of requests with maximum-allowed context windows, generating six-figure cloud bills before quotas trip.
- 02
An agent prompt-injection convinces the model to enter a tool-use loop that calls the expensive document-summarization API hundreds of times per session.
● 常见问题
Model Denial of Service 是什么?
OWASP LLM04 — driving an LLM application into runaway resource consumption (long contexts, infinite loops, expensive tool fan-out) so it slows, becomes unavailable, or generates a ruinous cloud bill. 它属于网络安全的 AI 与机器学习安全 分类。
Model Denial of Service 是什么意思?
OWASP LLM04 — driving an LLM application into runaway resource consumption (long contexts, infinite loops, expensive tool fan-out) so it slows, becomes unavailable, or generates a ruinous cloud bill.
Model Denial of Service 是如何工作的?
Model Denial of Service (LLM04 in the OWASP Top 10 for LLM Applications) covers attacks that exhaust the resources behind an LLM-powered system rather than knock down a network. Specific patterns include flooding the model with maximum-context inputs to drive up token cost; crafting recursive or self-referential prompts that trigger long generations; abusing tool-calling agents to cascade dozens of expensive sub-calls; submitting inputs that defeat caching; and exploiting retrieval pipelines to pull massive documents into every request. The blast radius is operational (the chatbot becomes unusable) and financial (a single attacker can burn five- or six-figure inference bills in hours). Mitigations include strict per-user input/output token caps, max-step limits on agent loops, semantic and exact-match caching, rate-limit on tool fan-out, async queueing with budget guards, and observability dashboards keyed to spend per tenant.
如何防御 Model Denial of Service?
针对 Model Denial of Service 的防御通常结合技术控制与运营实践,详见上方完整定义。
Model Denial of Service 还有哪些其他名称?
常见的别称包括: LLM04, LLM DoS, Token-burn attack。
● 相关术语
- ai-security№ 870
OWASP LLM Top 10
由 OWASP 维护的清单,列出对基于大型语言模型构建的应用最关键的十大安全风险。
- attacks№ 333
拒绝服务攻击 (DoS)
通过耗尽系统的带宽、算力、内存或应用层资源,使合法用户无法访问服务的攻击。
- network-security№ 1008
限速
限速对某个标识(IP、用户、API key 或令牌)在一段时间内的请求数量加以约束,用以保护 API 和应用免受滥用、爬取和暴力破解。
- ai-security№ 027
智能体 AI 安全
面向可自主规划、调用工具并在真实系统中执行操作的 LLM 智能体的安全实践;在此场景下,提示注入可转化为远程代码执行,过度授权则带来真实的破坏面。
- ai-security№ 969
提示词注入
通过向提示中夹带对抗性文本来覆盖 LLM 原有指令的攻击,使模型忽略安全限制或执行攻击者指定的操作。
- ai-security№ 689
LLM 守护栏
约束基于 LLM 的应用能接收或输出哪些内容的机制,围绕底层模型落实 Safety、安全与业务规则。