RepetitionCurse: Measuring and Understanding Router Imbalance in Mixture-of-Experts LLMs under DoS Stress

TL;DR

This paper uncovers a vulnerability in Mixture-of-Experts large language models where adversarial prompts cause severe load imbalance, leading to increased latency and potential denial-of-service, and introduces RepetitionCurse to exploit this flaw.

Contribution

The paper identifies a universal routing flaw in MoE models and proposes RepetitionCurse, a black-box attack method that exploits this vulnerability across different models.

Findings

Adversarial prompts cause routing imbalance in MoE models.

RepetitionCurse increases inference latency by over 3x.

The vulnerability can be exploited in a model-agnostic manner.

Abstract

Mixture-of-Experts architectures have become the standard for scaling large language models due to their superior parameter efficiency. To accommodate the growing number of experts in practice, modern inference systems commonly adopt expert parallelism to distribute experts across devices. However, the absence of explicit load balancing constraints during inference allows adversarial inputs to trigger severe routing concentration. We demonstrate that out-of-distribution prompts can manipulate the routing strategy such that all tokens are consistently routed to the same set of top-$k$ experts, which creates computational bottlenecks on certain devices while forcing others to idle. This converts an efficiency mechanism into a denial-of-service attack vector, leading to violations of service-level agreements for time to first token. We propose RepetitionCurse, a low-cost black-box strategy to exploit this vulnerability. By identifying a universal flaw in MoE router behavior, RepetitionCurse constructs adversarial prompts using simple repetitive token patterns in a model-agnostic manner. On widely deployed MoE models like Mixtral-8x7B, our method increases end-to-end inference latency by 3.063x, degrading service availability significantly.