From Shield to Target: Denial-of-Service Attacks on LLM-Based Agent Guardrails

📅 2026-06-12
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work reveals a critical availability vulnerability in existing large language model (LLM)-based guard mechanisms, which, while effective against prompt injection attacks, are susceptible to denial-of-service attacks through carefully crafted natural language payloads that induce prolonged reasoning loops. The study introduces two efficient attack frameworks: one leveraging beam search optimization combined with LLM-based proposers to generate high-amplification payloads, and another employing policy-guided, mechanism-aware structural mutation techniques to tailor adversarial inputs. Experimental results demonstrate that these methods achieve token amplification factors of 13–63× across eight mainstream LLMs and induce up to 148× latency overhead in real-world agent systems, with a single malicious document capable of incapacitating shared guard infrastructure.
📝 Abstract
LLM-based guardrails have emerged as a highly effective defense against prompt injection and jailbreak attacks in autonomous agents. However, we reveal that the very reasoning and task-following capabilities enabling this protection introduce a novel vulnerability: attackers can inject crafted data to trap the guardrail in extended reasoning loops, effectuating a systematic denial-of-service (DoS) attack. To systematically expose this threat, we design a beam-search optimization framework that crafts natural-language payloads to maximize guardrail reasoning length, utilizing an LLM proposer guided by a strategy bank. Based on the observation of guardrail's schema-following nature, we also provide another attack framework driven by mechanism-aware structural mutations with less computational load. The attack efficacy is systematically evaluated in two parts. First, in standalone evaluations, the attack generalizes across diverse guardrail architectures, safety templates, and agent benchmarks. Payloads optimized on a single open-source surrogate successfully transfer to eight leading model backbones (e.g., Claude, GPT, Gemini, DeepSeek, and Qwen), achieving a 13--63$\times$ token amplification. Second, in end-to-end real-world agent deployments (web, desktop, code, and multi-agent systems), the attack reveals up to a 148$\times$ latency amplification. We show that a single poisoned document can saturate shared guardrail infrastructures, effectively starving co-located agents and paralyzing the entire system. By uncovering this availability flaw, our work underscores the urgent need to develop cost-bounded, reasoning-robust guardrails.
Problem

Research questions and friction points this paper is trying to address.

Denial-of-Service
LLM-based Agent
Guardrail Vulnerability
Prompt Injection
Reasoning Loop
Innovation

Methods, ideas, or system contributions that make the work stand out.

denial-of-service
LLM-based guardrails
reasoning loop
token amplification
mechanism-aware attack