Rethinking Latency Denial-of-Service: Attacking the LLM Serving Framework, Not the Model

TL;DR

This paper shifts focus from algorithmic to system-level latency attacks on LLM serving frameworks, introducing a new Fill and Squeeze attack strategy that exploits system behaviors to cause significant slowdowns.

Contribution

The paper presents a novel system-level attack method against LLM serving systems, demonstrating its effectiveness over existing algorithmic latency attacks.

Findings

Achieves 20-280x slowdown in Time to First Token

Attacks are effective with lower cost and in black-box settings

System optimizations like batching mitigate traditional latency attacks

Abstract

Large Language Models face an emerging and critical threat known as latency attacks. Because LLM inference is inherently expensive, even modest slowdowns can translate into substantial operating costs and severe availability risks. Recently, a growing body of research has focused on algorithmic complexity attacks by crafting inputs to trigger worst-case output lengths. However, we report a counter-intuitive finding that these algorithmic latency attacks are largely ineffective against modern LLM serving systems. We reveal that system-level optimization such as continuous batching provides a logical isolation to mitigate contagious latency impact on co-located users. To this end, in this paper, we shift the focus from the algorithm to the system layer, and introduce a new Fill and Squeeze attack strategy targeting the state transition of the scheduler. "Fill" first exhausts the global KV cache to induce Head-of-Line blocking, while "Squeeze" forces the system into repetitive preemption. By manipulating output lengths using methods from simple plain-text prompts to more complex prompt engineering, and leveraging side-channel probing of memory status, we demonstrate that the attack can be orchestrated in a black-box setting with much less cost. Extensive evaluations indicate by up to 20-280x average slowdown on Time to First Token and 1.5-4x average slowdown on Time Per Output Token compared to existing attacks with 30-40% lower attack cost.