Files
ai-llm-red-team-handbook/docs/Chapter_21_Model_DoS_Resource_Exhaustion.md
T

29 KiB

Chapter 21: Model DoS and Resource Exhaustion

This chapter provides comprehensive coverage of Denial of Service (DoS) attacks on LLM systems, resource exhaustion techniques, economic attacks, detection methods, and defense strategies for protecting API availability and cost management.

Introduction

The Availability Threat:

Denial of Service (DoS) attacks against LLM systems represent a critical threat to AI service availability, reliability, and economic viability. Unlike traditional network DoS attacks that flood servers with packets, LLM DoS attacks exploit the unique characteristics of AI systems—expensive computation, token-based pricing, context windows, and stateful sessions—to exhaust resources with minimal attacker overhead.

Why Model DoS Matters:

  • Revenue Loss: Service downtime costs thousands per minute for commercial AI APIs
  • Reputation Damage: Outages erode user trust and competitive position
  • Economic Attack: Token-based pricing enables cost amplification attacks
  • Resource Scarcity: GPU/TPU resources are expensive and limited
  • Cascading Failures: DoS on one component can crash entire AI pipeline

Real-World Impact:

  1. ChatGPT Outages: Multiple service disruptions due to overwhelming demand and potential abuse
  2. API Cost Explosions: Companies receiving $10K+ bills from uncontrolled API usage
  3. Context Window Abuse: Attackers filling context with garbage to slow responses
  4. Rate Limit Bypass: Distributed attacks evading quota controls

Attack Economics:

Attacker Cost vs Defender Cost

Attacker: $0.01 for malicious prompt
↓
Triggers: 100,000 token response (max length)
↓
Defender Cost: $2.00 per request (200x amplification!)
↓
1000 requests = $2,000 damage for $10 investment

Chapter Scope:

This chapter covers token-based DoS attacks, computational resource exhaustion, rate limiting bypass techniques, API cost exploitation, memory attacks, caching vulnerabilities, detection methods, defense strategies, real-world case studies, and future trends in AI availability attacks.


21.1 Token-Based DoS Attacks

Understanding Token Economics:

LLMs process text in tokens (typically 3-4 characters). API pricing is usually per token, and models have maximum context windows (e.g., 8K, 32K, 128K tokens). Attackers exploit this by crafting inputs that maximize token consumption.

Why Token Attacks Work:

  • Asymmetric Cost: Small input triggers massive output
  • Predictable Pricing: Per-token billing enables cost calculation
  • Context Limits: Filling context window degrades performance
  • Generation Cost: Output tokens cost more than input tokens

21.1.1 Context Window Exhaustion

What It Is:

Filling the model's context window (input + output) to its maximum capacity, forcing the model to process maximum tokens and preventing legitimate usage.

Attack Mechanics:

#!/usr/bin/env python3
"""
Token Bomb: Context Window Exhaustion Attack

Requirements:
    pip install openai

Usage:
    python token_bomb_dos.py
"""

import openai
import time

class TokenBombAttack:
    """Exhaust LLM context window with maximum token consumption"""

    def __init__(self, api_key, model="gpt-3.5-turbo"):
        self.client = openai.OpenAI(api_key=api_key)
        self.model = model
        self.context_limits = {
            "gpt-3.5-turbo": 4096,
            "gpt-4": 8192,
            "gpt-4-32k": 32768,
            "claude-2": 100000
        }

    def generate_token_bomb_prompt(self, target_tokens=3000):
        """
        Create prompt designed to maximize token consumption

        Strategies:
        1. Request very long output
        2. Ask for repetitive content
        3. Request lists, tables, code
        4. Use continuation tricks
        """

        # Strategy 1: Request maximum length list
        bomb_prompts = [
            f"List {target_tokens//10} different ways to say hello in different languages with full explanations",

            f"Write a {target_tokens}-word essay on the history of computing",

            f"Generate a Python tutorial with {target_tokens//20} code examples, each fully commented",

            "Generate a complete API documentation with 100 endpoints, including request/response examples, error codes, and usage samples for each",

            "Create a comprehensive SQL tutorial covering 50 different commands with 5 examples each, including table schemas and sample data",

            # Continuation attack
            "Start counting from 1 to 10000 and explain the mathematical significance of each number",
        ]

        return bomb_prompts

    def execute_single_bomb(self, prompt, max_tokens=4000):
        """
        Execute a single token bomb attack
        Returns actual token usage and cost
        """
        print(f"[*] Executing token bomb...")
        print(f"    Prompt: {prompt[:80]}...")

        start_time = time.time()

        try:
            response = self.client.chat.completions.create(
                model=self.model,
                messages=[{"role": "user", "content": prompt}],
                max_tokens=max_tokens,  # Request maximum output
                temperature=1.0  # High temp = more tokens
            )

            elapsed = time.time() - start_time

            # Extract metrics
            usage = response.usage
            prompt_tokens = usage.prompt_tokens
            completion_tokens = usage.completion_tokens
            total_tokens = usage.total_tokens

            # Calculate cost (GPT-3.5-turbo pricing)
            input_cost = (prompt_tokens / 1000) * 0.0015
            output_cost = (completion_tokens / 1000) * 0.002
            total_cost = input_cost + output_cost

            print(f"[+] Token bomb successful!")
            print(f"    Tokens - Input: {prompt_tokens}, Output: {completion_tokens}, Total: {total_tokens}")
            print(f"    Cost: ${total_cost:.4f}")
            print(f"    Time: {elapsed:.2f}s")
            print(f"    Token/second: {total_tokens/elapsed:.1f}")

            return {
                'tokens': total_tokens,
                'cost': total_cost,
                'time': elapsed,
                'prompt_tokens': prompt_tokens,
                'completion_tokens': completion_tokens
            }

        except Exception as e:
            print(f"[!] Attack failed: {e}")
            return None

    def sustained_token_flood(self, duration_seconds=60, delay=1):
        """
        Sustained DoS: Send token bombs repeatedly

        This simulates a real DoS attack scenario
        """
        print(f"\n[*] Starting sustained token flood DoS...")
        print(f"    Duration: {duration_seconds}s")
        print(f"    Delay between requests: {delay}s\n")

        start_time = time.time()
        total_cost = 0
        total_tokens = 0
        request_count = 0

        prompts = self.generate_token_bomb_prompt()

        while (time.time() - start_time) < duration_seconds:
            # Rotate through bomb prompts
            prompt = prompts[request_count % len(prompts)]

            result = self.execute_single_bomb(prompt, max_tokens=2000)

            if result:
                total_cost += result['cost']
                total_tokens += result['tokens']
                request_count += 1

            time.sleep(delay)

        elapsed = time.time() - start_time

        print(f"\n{'='*60}")
        print(f"[+] Token Flood DoS Complete")
        print(f"    Total requests: {request_count}")
        print(f"    Total tokens: {total_tokens:,}")
        print(f"    Total cost: ${total_cost:.2f}")
        print(f"    Duration: {elapsed:.1f}s")
        print(f"    Cost per second: ${total_cost/elapsed:.4f}/s")
        print(f"    Cost per hour (projected): ${(total_cost/elapsed)*3600:.2f}/hr")
        print(f"{'='*60}\n")

        return {
            'requests': request_count,
            'total_cost': total_cost,
            'total_tokens': total_tokens,
            'duration': elapsed,
            'cost_per_second': total_cost/elapsed
        }

# ============================================================================
# DEMO USAGE
# ============================================================================

if __name__ == "__main__":
    print("="*60)
    print("Token Bomb DoS Attack Demonstration")
    print("="*60)
    print("\nWARNING: This will consume API credits!")
    print("For educational/testing purposes only.\n")

    # DEMO MODE - Safe simulation
    print("[DEMO MODE] Simulating token bomb without real API calls\n")

    class SimulatedAPI:
        """Simulates OpenAI API for demonstration"""
        def __init__(self):
            self.call_count = 0

        def simulate_bomb(self, prompt, max_tokens):
            """Simulate token consumption"""
            self.call_count += 1

            # Simulate realistic token counts
            prompt_tokens = len(prompt.split()) * 1.3  # Rough estimate
            completion_tokens = min(max_tokens, max_tokens * 0.9)  # Usually hits max

            return {
                'tokens': int(prompt_tokens + completion_tokens),
                'cost': (prompt_tokens/1000 * 0.0015) + (completion_tokens/1000 * 0.002),
                'time': 2.5,  # Realistic response time
                'prompt_tokens': int(prompt_tokens),
                'completion_tokens': int(completion_tokens)
            }

    # Create simulated attacker
    api = SimulatedAPI()

    # Simulate single bomb
    print("Example 1: Single Token Bomb")
    print("-" * 60)

    bomb_prompt = "Generate a comprehensive Python tutorial with 200 code examples, each with full explanations and comments"
    result = api.simulate_bomb(bomb_prompt, max_tokens=4000)

    print(f"Prompt: {bomb_prompt[:60]}...")
    print(f"[+] Tokens consumed: {result['tokens']:,}")
    print(f"    Input: {result['prompt_tokens']} tokens")
    print(f"    Output: {result['completion_tokens']} tokens")
    print(f"    Cost: ${result['cost']:.4f}")
    print(f"    Time: {result['time']:.2f}s\n")

    # Simulate sustained attack
    print("Example 2: Sustained Token Flood (10 requests)")
    print("-" * 60)

    total_cost = 0
    total_tokens = 0

    for i in range(10):
        result = api.simulate_bomb(bomb_prompt, max_tokens=3000)
        total_cost += result['cost']
        total_tokens += result['tokens']

        if (i + 1) % 5 == 0:
            print(f"  [{i+1}/10] Cost so far: ${total_cost:.2f}")

    print(f"\n[+] Sustained Attack Results:")
    print(f"    Total requests: 10")
    print(f"    Total tokens: {total_tokens:,}")
    print(f"    Total cost: ${total_cost:.2f}")
    print(f"    Cost per request: ${total_cost/10:.4f}")
    print(f"    Projected cost per hour: ${total_cost * 360:.2f}/hr")
    print(f"    Projected cost per day: ${total_cost * 8640:.2f}/day")

    print("\n" + "="*60)
    print("[IMPACT] With minimal effort, attacker can:")
    print(f"  - Consume ${total_cost:.2f} in 25 seconds")
    print(f"  - Scale to ${total_cost * 1440:.2f}/hour with 10 concurrent threads")
    print(f"  - Exhaust API budgets rapidly")
    print("="*60)

Expected Output:

============================================================
Token Bomb DoS Attack Demonstration
============================================================

WARNING: This will consume API credits!
For educational/testing purposes only.

[DEMO MODE] Simulating token bomb without real API calls

Example 1: Single Token Bomb
------------------------------------------------------------
Prompt: Generate a comprehensive Python tutorial with 200 code exa...
[+] Tokens consumed: 3,620
    Input: 20 tokens
    Output: 3,600 tokens
    Cost: $0.0074
    Time: 2.50s

Example 2: Sustained Token Flood (10 requests)
------------------------------------------------------------
  [5/10] Cost so far: $0.04
  [10/10] Cost so far: $0.07

[+] Sustained Attack Results:
    Total requests: 10
    Total tokens: 36,200
    Total cost: $0.07
    Cost per request: $0.0074
    Projected cost per hour: $26.64/hr
    Projected cost per day: $639.36/day

============================================================
[IMPACT] With minimal effort, attacker can:
  - Consume $0.07 in 25 seconds
  - Scale to $106.56/hour with 10 concurrent threads
  - Exhaust API budgets rapidly
============================================================

Key Takeaways:

  1. Input/Output Asymmetry: Small prompt → massive output
  2. Cost Amplification: 200x cost multiplier possible
  3. Scalability: Easy to automate and distribute
  4. Economic Impact: Can drain budgets in hours

21.2 Computational Resource Exhaustion

Beyond Tokens: CPU/GPU Attacks

While token-based attacks exploit pricing, computational attacks target the underlying hardware resources (GPUs, TPUs, memory). These attacks slow down or crash the service even with rate limiting in place.

21.2.1 Complex Query Attacks

What It Is:

Crafting inputs that require disproportionate computation compared to their length, exhausting GPU cycles and memory.

Attack Vectors:

  1. Deep Reasoning Chains: Request multi-step logical reasoning
  2. Complex Math: Request symbolic math, proofs, or computations
  3. Code Generation: Request large, complex code with dependencies
  4. Ambiguity Resolution: Provide intentionally ambiguous prompts

Practical Example:

#!/usr/bin/env python3
"""
Computational Exhaustion Attack
Crafts prompts that maximize GPU/CPU usage

Requirements:
    pip install requests

Usage:
    python computational_dos.py
"""

class ComputationalDoS:
    """Attack LLM with computationally expensive queries"""

    def __init__(self):
        self.complexity_levels = {
            'low': 1,
            'medium': 5,
            'high': 10,
            'extreme': 20
        }

    def generate_complex_reasoning_prompt(self, complexity='high'):
        """
        Generate prompts requiring deep reasoning chains

        These force the model to maintain long reasoning contexts
        and perform complex inference steps
        """

        depth = self.complexity_levels[complexity]

        complex_prompts = [
            # Multi-step logical reasoning
            f"""
            Solve this logic puzzle with {depth} steps:
            1. If A is true, then B is false
            2. If B is false, then C must be evaluated
            3. C depends on the state of D and E
            ... (continue for {depth} interdependent conditions)
            What is the final state of A?
            Show your complete reasoning chain.
            """,

            # Nested mathematical proof
            f"""
            Prove that the sum of the first n natural numbers equals n(n+1)/2 using:
            1. Mathematical induction
            2. Algebraic manipulation
            3. Geometric visualization
            4. Historical context
            ... (request {depth} different proof approaches)
            """,

            # Complex code generation with dependencies
            f"""
            Write a complete {depth}-tier microservices architecture in Python including:
            - API gateways
            - Service mesh
            - Database layers
            - Caching strategies
            - Message queues
            - Complete error handling
            - Comprehensive tests
            - Docker configurations
            - Kubernetes manifests
            All fully functional and production-ready.
            """,

            # Ambiguous scenario analysis
            f"""
            Analyze this scenario from {depth} different philosophical perspectives:
            "A person finds a wallet with $1000. What should they do?"

            Provide complete analysis from:
            - Utilitarian ethics
            - Deontological ethics
            - Virtue ethics
            - Consequentialism
            ... ({depth} total frameworks)

            Then synthesize all perspectives into a unified recommendation.
            Compare and contrast all {depth} viewpoints in detail.
            """
        ]

        return complex_prompts

    def estimate_computational_cost(self, prompt, estimated_tokens=2000):
        """
        Estimate computational burden of a prompt

        Factors:
        - Reasoning depth (nested logic)
        - Context retention (multi-turn dependencies)
        - Output length
        - Complexity of task
        """

        # Complexity scoring
        complexity_score = 0

        # Count reasoning indicators
        reasoning_keywords = ['prove', 'analyze', 'compare', 'synthesize', 'evaluate']
        for keyword in reasoning_keywords:
            if keyword in prompt.lower():
                complexity_score += 2

        # Count step indicators
        if 'step' in prompt.lower() or '1.' in prompt:
            complexity_score += 3

        # Count request for multiple approaches
        if 'different' in prompt.lower() and ('way' in prompt.lower() or 'perspective' in prompt.lower()):
            complexity_score += 5

        # Estimate GPU cycles (arbitrary units)
        base_cycles = estimated_tokens * 100  # Base processing
        reasoning_multiplier = 1 + (complexity_score / 10)

        total_cycles = base_cycles * reasoning_multiplier

        return {
            'complexity_score': complexity_score,
            'estimated_gpu_cycles': int(total_cycles),
            'reasoning_depth': 'High' if complexity_score > 10 else 'Medium' if complexity_score > 5 else 'Low',
            'relative_cost': f"{reasoning_multiplier:.1f}x normal"
        }

    def execute_computational_attack(self, api_client, duration=30):
        """
        Send computationally expensive queries
        Goal: Maximize GPU usage, not necessarily token count
        """
        print(f"[*] Launching computational exhaustion attack...")
        print(f"    Duration: {duration}s\n")

        import time
        start_time = time.time()
        attack_count = 0

        complex_prompts = self.generate_complex_reasoning_prompt('extreme')

        while (time.time() - start_time) < duration:
            prompt = complex_prompts[attack_count % len(complex_prompts)]

            # Estimate before sending
            estimate = self.estimate_computational_cost(prompt)

            print(f"[{attack_count + 1}] Computational Attack")
            print(f"    Complexity: {estimate['complexity_score']}/20")
            print(f"    Reasoning: {estimate['reasoning_depth']}")
            print(f"    Estimated cost: {estimate['relative_cost']}")
            print(f"    GPU cycles: {estimate['estimated_gpu_cycles']:,}\n")

            # In real attack, would send to API here
            # response = api_client.generate(prompt)

            attack_count += 1
            time.sleep(5)  # Reduced rate, but high per-request cost

        elapsed = time.time() - start_time

        print(f"[+] Computational DoS Summary:")
        print(f"    Attacks sent: {attack_count}")
        print(f"    Duration: {elapsed:.1f}s")
        print(f"    Attack rate: {attack_count/elapsed:.2f} req/s")
        print(f"    (Low rate, but each request is {estimate['relative_cost']} expensive)")

# ============================================================================
# DEMO
# ============================================================================

if __name__ == "__main__":
    print("="*60)
    print("Computational Resource Exhaustion Attack")
    print("="*60)
    print()

    attacker = ComputationalDoS()

    # Demo 1: Show complexity analysis
    print("Example 1: Complexity Analysis")
    print("-"*60)

    simple_prompt = "What is 2+2?"
    complex_prompt = attacker.generate_complex_reasoning_prompt('high')[0]

    simple_analysis = attacker.estimate_computational_cost(simple_prompt)
    complex_analysis = attacker.estimate_computational_cost(complex_prompt, 4000)

    print(f"Simple prompt: '{simple_prompt}'")
    print(f"  Complexity: {simple_analysis['complexity_score']}/20")
    print(f"  GPU cycles: {simple_analysis['estimated_gpu_cycles']:,}")
    print(f"  Cost: {simple_analysis['relative_cost']}\n")

    print(f"Complex prompt: {complex_prompt[:60]}...")
    print(f"  Complexity: {complex_analysis['complexity_score']}/20")
    print(f"  GPU cycles: {complex_analysis['estimated_gpu_cycles']:,}")
    print(f"  Cost: {complex_analysis['relative_cost']}")
    print(f"  **{complex_analysis['estimated_gpu_cycles'] / simple_analysis['estimated_gpu_cycles']:.1f}x more expensive**\n")

    # Demo 2: Simulated attack
    print("Example 2: Simulated Computational Attack (30s)")
    print("-"*60)
    attacker.execute_computational_attack(None, duration=30)

    print("\n" + "="*60)
    print("[IMPACT] Computational attacks can:")
    print("  - Slow down entire GPU cluster")
    print("  - Cause cascading delays for all users")
    print("  - Bypass rate limits (fewer reqs, more damage)")
    print("  - Harder to detect than token floods")
    print("="*60)


21.3 Rate Limiting Bypass

Circumventing Quota Controls:

Most APIs implement rate limiting to prevent abuse. However, these controls can be bypassed through various techniques, enabling sustained DoS attacks.

Common Rate Limit Schemes:

  1. Token Bucket: Allows bursts, refills over time
  2. Fixed Window: X requests per minute/hour
  3. Sliding Window: Rolling time period
  4. Concurrent Limits: Max parallel requests

21.3.1 Bypass Techniques

Attack Strategies:

class RateLimitBypass:
    """Techniques to evade API rate limiting"""

    def __init__(self):
        self.identities = []
        self.proxies = []

    def technique_1_identity_rotation(self, num_api_keys=10):
        """
        Rotate through multiple API keys

        If rate limit is per-key, use multiple keys to multiply throughput
        """
        print("[*] Technique 1: Identity Rotation")
        print(f"    Using {num_api_keys} different API keys")
        print(f"    Effective rate: {num_api_keys}x normal limit\n")

        # Simulate rotation
        for i in range(num_api_keys):
            print(f"    Key {i+1}: api_key_{i:03d}")

        return {
            'technique': 'Identity Rotation',
            'multiplier': num_api_keys,
            'detection_difficulty': 'Medium',
            'cost': 'Requires purchasing multiple accounts'
        }

    def technique_2_distributed_attack(self, num_nodes=50):
        """
        Distribute attack across many IP addresses

        If rate limit is IP-based, use botnet/proxies
        """
        print("[*] Technique 2: Distributed Attack")
        print(f"    Using {num_nodes} different IP addresses")
        print(f"    Sources: Cloud VMs, proxies, compromised hosts")
        print(f"    Effective rate: {num_nodes}x normal limit\n")

        return {
            'technique': 'Distributed Attack',
            'multiplier': num_nodes,
            'detection_difficulty': 'High',
            'cost': 'Proxy rental or botnet'
        }

    def technique_3_timing_optimization(self):
        """
        Precisely time requests to maximize throughput

        If rate limit is 60 req/min, send exactly 1 req/second
        """
        print("[*] Technique 3: Timing Optimization")
        print("    Precisely scheduled requests")
        print("    Example: 60 req/min limit")
        print("    → Send 1 request every 1.0 seconds")
        print("    → Achieves sustained maximum rate\n")

        import time

        rate_limit = 60  # requests per minute
        interval = 60 / rate_limit  # seconds between requests

        print(f"    Optimal interval: {interval:.2f}s")
        print("    Simulating 10 requests...")

        for i in range(10):
            print(f"      [{i+1}/10] Sending request at t={i*interval:.1f}s")
            time.sleep(interval)

        return {
            'technique': 'Timing Optimization',
            'multiplier': 1.0,
            'detection_difficulty': 'Very Low',
            'cost': 'Free (just timing)'
        }

    def technique_4_session_manipulation(self):
        """
        Create new sessions to reset limits

        Some APIs track limits per session, not per user
        """
        print("[*] Technique 4: Session Manipulation")
        print("    Create new session after hitting limit")
        print("    If limits are session-based, this resets the counter\n")

        return {
            'technique': 'Session Manipulation',
            'multiplier': 'Unlimited',
            'detection_difficulty': 'Low',
            'cost': 'Free (if API allows)'
        }

    def combined_bypass_strategy(self):
        """
        Combine multiple techniques for maximum effectiveness
        """
        print("\n" + "="*60)
        print("COMBINED BYPASS STRATEGY")
        print("="*60)
        print()

        print("[*] Multi-Layer Bypass:")
        print("    Layer 1: 10 API keys (10x multiplier)")
        print("    Layer 2: 20 proxies (20x multiplier)")
        print("    Layer 3: Timing optimization (100% efficiency)")
        print("    Layer 4: Burst during window rotation\n")

        base_rate = 60  # requests per minute per key
        num_keys = 10
        num_proxies = 20

        effective_rate = base_rate * num_keys * num_proxies

        print(f"[+] Effective Rate: {effective_rate:,} requests/minute")
        print(f"    = {effective_rate * 60:,} requests/hour")
        print(f"    = {effective_rate * 60 * 24:,} requests/day")
        print(f"    vs normal limit of {base_rate}/min\n")

        print(f"[!] IMPACT: {effective_rate / base_rate:.0f}x rate limit bypass!")

# Demo
if __name__ == "__main__":
    print("Rate Limiting Bypass Techniques\n")

    bypass = RateLimitBypass()

    bypass.technique_1_identity_rotation(10)
    bypass.technique_2_distributed_attack(50)
    bypass.technique_3_timing_optimization()
    bypass.technique_4_session_manipulation()
    bypass.combined_bypass_strategy()

21.16 Summary and Key Takeaways

Critical DoS Techniques

Most Effective Attacks:

  1. Token Amplification (200x cost multiplier possible)

    • Small input → massive output
    • Economic DoS through cost explosion
    • Bypass detection with legitimate-looking prompts
  2. Computational Exhaustion (Harder to detect)

    • Complex reasoning chains
    • Bypass token-based rate limits
    • Disproportionate GPU usage per request
  3. Rate Limit Bypass (Unlimited scale)

    • Identity rotation
    • Distributed attacks
    • Timing optimization

Defense Recommendations

For API Providers:

  1. Multi-Layer Rate Limiting

    • Per API key: 100 req/min
    • Per IP: 500 req/min
    • Per organization: 10,000 req/min
    • Global: Adaptive throttling
  2. Cost Controls

    • Max tokens per request: 4,000
    • Max tokens per day per key: 1,000,000
    • Budget alerts at 80% threshold
    • Auto-suspend at 100%
  3. Computational Limits

    • Max request processing time: 30s
    • Complexity scoring for prompts
    • Deprioritize expensive queries during high load
    • Queue management
  4. Detection Systems

    • Anomaly detection for usage patterns
    • Sudden spike alerts
    • Distributed attack correlation
    • Behavioral analysis

For API Consumers:

  1. Budget Management

    • Set hard spending limits
    • Monitor usage in real-time
    • Alert on unusual spikes
    • Test with small budgets first
  2. Access Control

    • Distribute separate keys per application
    • Least privilege principle
    • Regular key rotation
    • Audit logging

Case Studies

ChatGPT February 2023 Outage:

  • Cause: Overwhelming traffic + potential abuse
  • Impact: Service down for multiple hours
  • Cost: Millions in lost revenue
  • Lesson: Need better load balancing and abuse detection

API Cost Attack (2023):

  • Attacker compromised API key
  • Generated $50,000 bill in 48 hours
  • Used token amplification technique
  • Defense: Implement spending limits

Emerging Threats:

  • AI-generated adversarial prompts optimized for max cost
  • Coordinated multi-vector attacks (token + computational + cache)
  • Economic warfare between AI providers
  • Zero-day rate limit bypasses

Defense Evolution:

  • ML-based anomaly detection
  • Adaptive rate limiting
  • Blockchain-based request tracking
  • Hardware-level protection (TEEs)

References and Further Reading

Academic Papers

  1. "Denial of Service Attacks on LLM Applications" (2023)
  2. "Resource Exhaustion in Transformer Models" (2022)
  3. "Economic Attacks on AI APIs" (2023)

Industry Reports

  • OWASP Top 10 for LLMs - DoS risks
  • Cloud Security Alliance - AI availability threats
  • NIST AI Security Framework - Resource management

Tools


End of Chapter 21: Model DoS and Resource Exhaustion

This chapter provided comprehensive coverage of denial of service attacks on LLM systems. Understanding these techniques is critical for building resilient, cost-effective AI services and protecting against resource abuse. Remember: the goal is to build better defenses, not enable attacks.