All posts

What Is a Model Denial of Service Attack?

AI Security
Mar 19, 2025
6 min
Julie Peterson
Product Marketing
Table of Contents

New and emerging attacks

Over the past several years, GenAI innovation has enabled great transformation as well as an increased attack surface. Organizations across all industries are wrestling with how to deploy AI use cases while also maintaining the highest levels of security. 

One of the greatest truths of cybersecurity is that any system that exists is a potential target for attackers. When these systems are new, security professionals don’t always fully understand the ways in which attackers will try to exploit them. As cybersecurity experts work to secure GenAI models and applications, they must anticipate novel attack vectors that have yet to be widely observed. 

Generative AI introduces unique risks, from prompt injection and model manipulation to data poisoning and adversarial exploits. Without a deep understanding of these emerging threats, organizations risk deploying AI systems that are vulnerable to exploits. Security teams must adopt proactive red teaming, continuous monitoring, and adaptive defense strategies to stay ahead of attackers. The challenge is not just in defending against known threats, but in predicting and mitigating the unforeseen vulnerabilities that will inevitably arise as AI technology evolves.

This blog is part of a series on novel attacks against AI, ML and GenAI applications. Other blogs in this series include, What Is Prompt Injection in AI? and What Is AI Jailbreaking? Combined, they will provide those new to AI security with a baseline knowledge of GenAI attack vectors. 

What is model denial of service?

A model denial of service (Model DoS) attack attempts to disrupt the availability and performance of an AI/ML model by overwhelming it with malicious or excessive inputs.

You can think of it as similar to a traditional DoS attack. In a DoS attack, a server, service, or network is flooded with malicious requests in an attempt to disrupt it or shut it down. The goal is to bombard systems with excessive traffic or resource requests, making it slow or completely unavailable to legitimate users.

In a model DoS attack, the attacker’s goal is to degrade response times, exhaust computational resources, or make the model - and its related application - completely unresponsive.

Examples of model denial of service attacks

The following are examples of model denial of service attacks:

  • Variable-length input flood: Attackers send a flood of inputs, each carefully sized to push the AI’s processing limits, exploiting inefficiencies and potentially making it unresponsive.
  • Continuous input overflow: Attackers keep feeding the AI system more input than it can handle at once, causing the model to consume excessive computational resources. 
  • Resource-intensive queries: Attackers send inputs that require excessive processing, such as using strange symbols or uncommon word patterns to slow down the AI application and potentially cause system failure.
  • Repetitive long inputs: Attackers repeatedly send very long inputs, each exceeding the AI’s processing limit, forcing it to work inefficiently.
  • Recursive context expansion: Attackers design inputs that trick the AI into repeatedly expanding its memory usage.
  • Posing queries that lead to recurring resource usage: Attackers make the AI continuously generate and process new tasks, overloading its task queue (e.g., using automation tools like LangChain or AutoGPT).

Risks of model denial of service attacks

When organizations implement AI powered applications, they do so to gain greater efficiency, save money, improve decision-making, and enhance customer experience. The last thing an organization wants is for its flagship AI application to be unavailable or slow to respond. The risks of a model DoS attack include the following:

  • Slower response times: Legitimate users experience delays or unresponsive AI services.
  • Increased costs: Cloud-based AI models may incur higher compute costs due to excessive processing.
  • Loss of revenue: In severe cases, the model may become completely unavailable, costing the company revenue and customers.
  • Security exploitation: Attackers may use model DoS attacks as a smokescreen to distract security teams while executing other malicious activities, such as data breaches or system intrusions.
  • Data corruption or poisoning: In some cases, attackers might not just overload the model but also attempt to send adversarial inputs that degrade model performance or compromise its accuracy.
  • Compliance or legal issues: Disruptions affecting critical AI services in regulated industries like finance and healthcare could lead to compliance violations or legal penalties.
  • Reputation damage: If a company’s AI service is frequently down or disrupted, trust in its reliability can erode.

Model denial of service attacks pose real risks. If the goal of implementing an AI application is to gain competitive advantage, an attack like this could easily impact an organization’s bottom line or harm its reputation.

How to prevent model denial of service attacks

Organizations must implement multi-layered security defenses to prevent attackers from using model DoS attacks effectively. Here are several ways in which you can help mitigate these attacks: 

  • Validate inputs: Monitor inputs in real time to make sure all user inputs follow set rules and anything suspicious or harmful is removed.
  • Limit resource use per request: Prevent any single request from using too many resources at once, ensuring complex tasks run at a controlled pace.
  • Set API rate limits: Restrict how many requests a user or IP address can send within a certain time to prevent overload.
  • Control queued and total actions: Limit how many actions can be stored in a queue and how many the system can process at once to avoid excessive workload.
  • Monitor resource usage: Track the AI system’s resource consumption to spot unusual spikes or patterns that could signal an attack.
  • Restrict input size: Set clear limits on how much input the AI can process at once to prevent it from being overwhelmed.
  • Educate developers: Train developers on how AI models can be attacked and provide training on best practices for keeping AI models and applications secure.

By implementing these security measures, organizations can prevent attackers from disrupting AI models and applications. Regular security reviews, real-time monitoring, and adaptive defenses will help businesses stay ahead of evolving threats. Well-protected AI models and applications enhance performance, maintain reliability, and safeguard against financial and reputational damage.

Since threats continue to evolve, it’s essential to regularly review security policies, refine mitigation strategies, and adapt defenses as new attack methods emerge. Ultimately, well-protected AI systems not only enhance performance and stability but also strengthen user trust and safeguards against operational disruptions.

OWASP, unbounded consumption, and model denial of service

In the 2025 OWASP Top 10 for LLMs, model denial of service attacks were expanded into a broader category called Unbounded Consumption. This change reflects the evolving nature of AI security threats, where attackers are not just trying to make models unavailable but are also exploiting their resource usage in a variety of ways. OWASP recognized that limiting the focus to only denial of service was too narrow, as modern attacks on AI models increasingly target excessive resource consumption beyond downtime.

The key difference between model DoS attacks and unbounded consumption is that DoS attacks typically aim to overwhelm a model with too many requests, slowing it down or making it unavailable. Unbounded consumption, however, includes a wider range of attacks that abuse an AI system’s resources in different ways, such as forcing it to process unusually complex or costly requests, consuming excessive memory or compute power, and even driving up operational costs in cloud-based environments.

The unbounded consumption category covers multiple threats, including:

  • Model DoS attacks: Overloading the model with excessive requests to slow it down or crash it.
  • Excessive computational costs: Forcing AI models to process inputs that require significantly more resources, leading to high cloud-compute bills.
  • Memory and resource drain: Exploiting the model’s memory usage, potentially causing system instability or failures.
  • Infinite loop exploits: Triggering scenarios where an AI system repeatedly processes or generates outputs, wasting resources indefinitely.
  • Token abuse: Submitting extremely long inputs or forcing overly verbose responses, increasing API costs or slowing responses for legitimate users.

By expanding this category, OWASP is acknowledging that attackers are increasingly looking for ways to manipulate how AI models consume resources, not just how they can be shut down. This shift highlights the need for better safeguards like request limits, cost controls, and more efficient processing safeguards to protect AI systems from being exploited through excessive resource consumption.

How TrojAI can help

TrojAI helps enterprises protect against model denial of service attacks. We do this through real-time monitoring of AI models and applications in production environments. Because TrojAI monitors AI model inputs, we can validate inputs and identify when attackers are trying to overload a model with excessive requests.

In fact, our mission at TrojAI goes well beyond denial of service attacks to enable the secure rollout of AI in the enterprise. We are a comprehensive AI security platform that protects AI models and applications. Our best-in-class platform empowers enterprises to safeguard AI applications and models both at build time and run time. TrojAI Detect automatically red teams AI models, safeguarding model behavior and delivering remediation guidance at build time. TrojAI Defend is an AI application firewall that protects enterprises from real-time threats like model denial of service at run time.

By assessing the risk of AI model behaviors during the model development lifecycle and protecting model behavior at run time, we deliver comprehensive security for your AI models and applications.

Want to learn more about how TrojAI secures the largest enterprises globally with a highly scalable, performant, and extensible solution?

Visit us at troj.ai now.

The latest from our blog

AI Model Scanning vs. AI Red Teaming

Discover the key differences between AI model scanning and AI red teaming, including why both are necessary for securing AI systems in the enterprise.

Julie Peterson
Apr 17, 2025
6 min

LLM Red Teaming with TrojAI Detect

Learn about automated red teaming for AI models with TrojAI Detect’s expanded capabilities that safeguard your AI apps from real-world threats.

Stan Petley
Feb 27, 2025
6 min

What Is a Data Extraction Attack?

Data extraction attacks threaten AI systems and expose sensitive data. Learn what you can do to protect your AI models from data loss and misuse.

Julie Peterson
Apr 10, 2025
7 min

Secure your AI future today.

Contact us

Representative Vendor:
2024 AI TRiSM
2024 Hype Cycle for Emerging Technologies
2024 Hype Cycle for Generative AI

TrojAI named to the 2021/2024
Top 100 Global AI Companies

14 King St., Suite 102, Saint John, NB, E2L 1G2
100 Summer St., Suite 1600, Boston, MA, 02110
Toll Free: (888) 4-TROJAI
sales@troj.ai
© Copyright TrojAI 2019-2025