Beyond Max Tokens: Stealthy Resource Amplification via Tool Calling Chains in LLM Agents
Problem Statement
Existing DoS attacks on LLMs are single-turn, prompt-level attacks that are easily detected and cannot exploit the compounding costs of multi-turn agent-tool interactions. As LLM agents increasingly rely on external tools via protocols like MCP, the agent-tool communication layer becomes a critical and largely undefended attack surface. Current defenses focused on final answer validation are blind to resource exhaustion attacks that complete tasks correctly but at massive computational expense.
Key Novelty
- First multi-turn economic DoS attack targeting the agent-tool interface layer, operating under the guise of correctly completed tasks to evade output-based validation
- Monte Carlo Tree Search (MCTS)-based optimizer that automatically discovers minimal, stealthy modifications to tool server text fields and return policies to maximize token amplification
- Demonstration that MCP-compatible, protocol-correct tool servers can silently inflate costs by 658x and GPU KV cache occupancy to 35-74%, establishing the agent-tool interface as a new security frontier
Evaluation Highlights
- Attack expands task trajectories to exceed 60,000 tokens across six LLMs on ToolBench and BFCL benchmarks, inflating financial costs by up to 658x and energy consumption by 100-560x
- GPU KV cache occupancy rises from under 1% to 35-74%, cutting co-running inference throughput by approximately 50%, demonstrating severe infrastructure-level impact beyond per-query cost inflation
Breakthrough Assessment
Methodology
- Identify modifiable text-visible fields (e.g., tool descriptions, return message templates) in an MCP-compatible tool server that do not alter function signatures or final payload correctness
- Use a Monte Carlo Tree Search (MCTS) optimizer to iteratively search and score candidate edits to these fields, maximizing token consumption across multi-turn agent-tool interaction trajectories while preserving task completion
- Deploy the optimized tool server in agentic benchmarks (ToolBench, BFCL) against six LLMs, measuring token amplification, cost inflation, energy usage, GPU KV cache occupancy, and throughput degradation of co-running workloads
System Components
A tool server that remains fully protocol-compliant and returns correct final payloads, but with modified text fields and return policies designed to induce verbose, prolonged agent reasoning loops
A Monte Carlo Tree Search-based search algorithm that explores the space of stealthy text edits to tool server fields, selecting modifications that maximize multi-turn token consumption without triggering task failure
A configurable policy controlling how the tool server structures its text-only notices and intermediate responses, steering the LLM agent into unnecessary follow-up tool calls across multiple turns
By compounding token usage across many agent turns, the attack bypasses single-turn token caps and accumulates resource costs that are invisible to per-response monitoring systems
Results
| Metric | Baseline (Normal) | Under Attack | Delta |
|---|---|---|---|
| Trajectory Token Length | ~hundreds of tokens | >60,000 tokens | ~60-100x increase |
| Financial Cost Inflation | 1x (baseline) | Up to 658x | +65,700% |
| Energy Consumption | 1x (baseline) | 100-560x | +10,000 to 56,000% |
| GPU KV Cache Occupancy | <1% | 35-74% | +34 to 73 percentage points |
| Co-running Inference Throughput | 100% (baseline) | ~50% | -50% |
Key Takeaways
- Validating only final task outputs is insufficient for LLM agent security—operators must monitor the full computational and economic cost of entire agentic trajectories to detect resource exhaustion attacks
- Third-party tool servers integrated via protocols like MCP represent a high-risk, under-scrutinized attack surface; practitioners should audit tool server response content and implement per-session token/cost budgets with anomaly detection
- The MCTS-based attack methodology reveals that even text-only, non-code changes to tool responses can have catastrophic infrastructure impact, suggesting that tool response content should be treated as untrusted input subject to length and complexity constraints
Abstract
The agent-tool communication loop is a critical attack surface in modern Large Language Model (LLM) agents. Existing Denial-of-Service (DoS) attacks, primarily triggered via user prompts or injected retrieval-augmented generation (RAG) context, are ineffective for this new paradigm. They are fundamentally single-turn and often lack a task-oriented approach, making them conspicuous in goal-oriented workflows and unable to exploit the compounding costs of multi-turn agent-tool interactions. We introduce a stealthy, multi-turn economic DoS attack that operates at the tool layer under the guise of a correctly completed task. Our method adjusts text-visible fields and a template-governed return policy in a benign, Model Context Protocol (MCP)-compatible tool server, optimizing these edits with a Monte Carlo Tree Search (MCTS) optimizer. These adjustments leave function signatures unchanged and preserve the final payload, steering the agent into prolonged, verbose tool-calling sequences using text-only notices. This compounds costs across turns, escaping single-turn caps while keeping the final answer correct to evade validation. Across six LLMs on the ToolBench and BFCL benchmarks, our attack expands tasks into trajectories exceeding 60,000 tokens, inflates costs by up to 658x, and raises energy by 100-560x. It drives GPU KV cache occupancy from<1% to 35-74% and cuts co-running throughput by approximately 50%. Because the server remains protocol-compatible and task outcomes are correct, conventional checks fail. These results elevate the agent-tool interface to a first-class security frontier, demanding a paradigm shift from validating final answers to monitoring the economic and computational cost of the entire agentic process.