Skip to content
AI Security Wire

Published

- 6 min read

By

Reasoning DoS: New Attack Inflates LLM Agent Compute 10x

img of Reasoning DoS: New Attack Inflates LLM Agent Compute 10x

A class of AI-targeting attack has been formalised and confirmed at ICML 2026: the Reasoning-Level Denial-of-Service. Unlike traditional availability attacks that try to crash a system or exhaust its request limits, the Reasoning-Level DoS keeps the target working correctly. It just makes it work far more expensively. The attacker is not trying to break the agent. They are trying to make it think too much.

The attack framework is called OTora, published by researchers at ICML 2026 (arXiv:2605.08876). The paper formalises a threat that practitioners have speculated about in agentic AI deployments but that lacked a systematic treatment. OTora fills that gap: it is a two-stage red-teaming framework that instantiates Reasoning-Level DoS (R-DoS) attacks across multiple LLM agent architectures, demonstrating up to 10x increases in reasoning token consumption and order-of-magnitude latency degradation while preserving near-baseline task accuracy.

That last part is what makes this threat category distinctly dangerous.

What R-DoS Is and Why It Matters Now

Modern LLM agents do not operate as simple prompt-in, response-out systems. Reasoning models generate internal chain-of-thought before producing outputs. Tool-augmented agents loop on a think-act-observe cycle, invoking APIs, search tools, code interpreters, and external services across multiple turns before completing a task.

Both patterns create attack surface that did not exist in earlier generation LLM deployments. If an attacker can craft inputs that cause the agent’s reasoning engine to overextend or that cause it to invoke tools unnecessarily, they degrade the service without triggering any error. The model is not broken. It is busy.

This matters acutely now because of how production AI agent monitoring is structured. Standard monitoring postures watch for error rates, hallucination rates, and failed task completions. Latency is tracked but typically tolerated with looser thresholds. Token consumption per request is often not monitored at all at a per-request granularity. An R-DoS attack exploits exactly this blind spot.

For services billing by inference token, an attacker who can reliably inflate reasoning depth by 10x is effectively imposing a 10x cost amplification on the operator for every request they influence. For multi-agent systems where agent B is waiting on agent A’s output, a latency spike in A propagates to every downstream component.

The OTora Framework: Two-Stage Attack Architecture

OTora operates in two stages, each targeting a different mechanism by which reasoning and tool use can be inflated.

Stage I: Adversarial trigger optimisation

The first stage targets the agent’s tool invocation behaviour. The goal is to craft an input that causes the agent to invoke more tools than the task actually requires. Specifically, OTora optimises for targeted, unnecessary tool invocations: calls that are plausible given the task context but that the agent should not need to make if processing the input correctly.

The optimisation uses what the paper calls insertion-aware scoring, which evaluates candidate triggers based on how they influence agent behaviour given their position in the input context. This is paired with dynamic target co-evolution: the attack target (which tools the adversarial input should induce) updates adaptively during the optimisation process to maintain attack effectiveness as the trigger converges. Both black-box and white-box variants are supported.

Stage II: Reasoning payload generation

Stage I inflates tool use. Stage II inflates the reasoning chain itself. The mechanism here is ICL-guided genetic search: the framework uses in-context learning to bootstrap candidate reasoning payloads, then applies a genetic search to evolve those payloads toward maximising reasoning token consumption while keeping the final task output correct.

This constraint on task correctness is deliberate and is the key to the attack’s stealthiness. A payload that causes the model to produce wrong answers fails obviously. A payload that causes the model to produce the right answer after five times as many reasoning steps fails silently.

Experimental Results

The paper tests OTora across three agent environments built to represent realistic task domains: WebShop (online shopping/product search agents), Email (inbox management and response drafting agents), and OS (shell command execution agents). Backbone models include LLaMA-70B and GPT-OSS-120B.

Across these environments, OTora achieves up to 10x increases in reasoning tokens and order-of-magnitude latency slowdowns while maintaining near-baseline task accuracy. The framing in the paper is direct on this point: the attacks succeed in degrading availability as a service property without compromising the correctness metrics that most evaluation frameworks track.

The black-box variant results are particularly significant for real-world applicability. Black-box R-DoS means the attacker needs only query access to the agent, not knowledge of model weights or internal architecture. This is the threat model that applies to most production deployments, where APIs are exposed to external users.

Why Existing Defences Miss This

The operational security problem with R-DoS is that it lives in the space between normal variation and obvious attack.

Reasoning chain lengths vary naturally. A complex query genuinely requires more thinking than a simple one. Tool invocation counts vary by task. A latency spike caused by R-DoS looks, from a monitoring dashboard, like a legitimately complex request. Distinguishing between “agent spent 10 seconds reasoning because the task was hard” and “agent spent 10 seconds reasoning because of a malicious input” requires per-request visibility into reasoning depth distributions, not just aggregate latency percentiles.

Most production monitoring deployments do not have this visibility. They track p99 latency across all requests, not the reasoning token distribution of individual queries. An attacker who keeps their R-DoS inputs to a small fraction of total traffic can operate well within normal aggregate latency bounds while still imposing meaningful cost and responsiveness degradation for targeted sessions.

The cost attack surface is particularly acute for agentic services that run on token-priced inference APIs. If an adversary can consistently cause an agent to consume 10x the expected tokens per interaction, the economics of operating that agent change materially. At scale, this is financially significant independently of any user experience degradation.

Defensive Posture

The OTora paper’s mitigation discussion points toward detecting and constraining abnormal reasoning and latency spikes. The code is publicly available, enabling defenders to run the framework’s attack variants against their own agent deployments before attackers do.

Translating the research into operational controls involves several changes to how agents are monitored and constrained:

Token budget enforcement. Hard limits on reasoning chain length per request are the most direct control. Reasoning models that support configurable thinking budgets should have those budgets set conservatively for production deployments, with override paths for explicitly identified high-complexity tasks rather than open-ended budgets.

Per-request reasoning token telemetry. Aggregate latency monitoring is insufficient. Production agent observability needs per-request reasoning token counts as a tracked metric, with alerting on anomalous values relative to task-type baselines.

Tool invocation rate limits. Agents that invoke tools excessively in a single session present both an R-DoS risk and, in some architectures, a broader security risk from unintended tool use. Per-turn and per-session tool call counts should be bounded and monitored.

Reasoning depth anomaly detection. Building per-task-type baseline distributions for reasoning depth enables statistical anomaly detection on individual queries. A customer support agent that suddenly exhibits reasoning token counts five standard deviations above its normal distribution for comparable queries is worth flagging for review.

The OTora framework gives practitioners a concrete adversarial toolkit to test their deployments against. The appropriate response is not to wait for attackers to discover R-DoS independently. The framework is published, the attack concept is formalised, and the monitoring blind spots it exploits are real.

References

Related Posts

There are no related posts yet. 😢

Frequently Asked Questions

What makes Reasoning-Level DoS different from traditional DoS attacks on AI services?
Traditional DoS attacks on AI services aim to crash systems or exhaust rate limits through high request volume. R-DoS is subtler: it operates through normal user inputs that inflate the target agent's internal reasoning depth and tool invocation count without producing errors or wrong answers. From a monitoring perspective, the agent appears healthy because it is completing tasks correctly. The damage shows up as elevated latency and API cost, which most production monitoring frameworks do not alert on as aggressively as error rates.
Which production LLM agent architectures are most exposed to R-DoS attacks?
The OTora paper tested agents on WebShop, Email, and OS task environments. Any agent architecture that: (1) exposes user-controlled inputs without hard token-budget enforcement on reasoning, (2) supports multi-step tool use, and (3) lacks anomaly detection on reasoning chain length is potentially exposed. Multi-agent orchestration pipelines are at elevated risk because R-DoS on one agent can create cascading latency for all downstream agents waiting on its output.
What mitigations does the OTora research recommend?
The paper identifies detecting and constraining abnormal reasoning and latency spikes as the primary mitigation direction. In practice, this translates to: enforcing hard token budgets on reasoning chains, monitoring per-request reasoning token consumption as a first-class metric alongside error rate and latency, rate-limiting tool invocations per agent turn, and deploying anomaly detection on reasoning depth distributions. The OTora code repository is publicly available, which enables defenders to test their own agent deployments against the framework's attack variants.