EPS
← All batches·2605.11442

Can a Single Message Paralyze the AI Infrastructure? The Rise of AbO-DDoS Attacks through Targeted Mobius Injection

topic: general_safetytop score: 100released: 2026-05-13first surfaced: 2026-05-13arXivPDFlinked_to_results2026-05-13

Authors: Zi Liang, Ronghua Li, Yanyun Wang et al.

arXiv · PDF

Summary

The authors introduce Mobius Injection, a novel attack that weaponizes LLM agents into zombie nodes for distributed denial-of-service (AbO-DDoS). By injecting a single carefully crafted message that exploits "Semantic Closure" (a structural vulnerability in agent logic), attackers can trigger sustained recursive execution, amplifying a single call up to 51x and inflating latency up to 229x. The attack is lightweight, stealthy against both DDoS monitors and AI safety filters, and scales superlinearly with more poisoned nodes. They propose ACE (Agent Component Energy) Analysis as a proactive defense.

Main takeaways:

  • LLM agents can be turned into DDoS amplifiers via textual injection alone, without modifying infrastructure or exploiting traditional network vulnerabilities.
  • "Semantic Closure" is a structural flaw in agentic logic where recursive execution can be triggered by malicious semantic content embedded in user messages.
  • Experiments across six agent architectures and 12 LLMs show high success rates, with single-node call amplification up to 51x and multi-node p95 latency inflation up to 229x.
  • The attack is stealthy: traditional DDoS monitors don't flag it because it looks like legitimate agent activity, and AI safety filters don't catch it because it's framed as benign text.
  • ACE Analysis detects malicious recursive triggers by measuring component-level energy (presumably computational intensity or invocation patterns).

Relevance

Tangentially related to my conditional-behavior work. This exploits semantic triggers in agent workflows, similar to how I study persona markers and pretraining backdoors (e.g., the Qwen3-4B and Gaperon Latin triggers). The core mechanism—injecting text that activates latent behaviors—parallels my work on marker implantation and trigger localization, though here it's weaponized for recursion rather than persona activation.

Abstract

arXiv:2605.11442v1 Announce Type: new Abstract: Large Language Model (LLM) agents have emerged as key intermediaries, orchestrating complex interactions between human users and a wide range of digital services and LLM infrastructures. While prior research has extensively examined the security of LLMs and agents in isolation, the systemic risk of the agent acting as a disruptive hub within the user-agent-service chain remains largely overlooked. In this work, we expose a novel threat paradigm by introducing Mobius Injection, a sophisticated attack that weaponizes autonomous agents into zombie nodes to launch what we define as gent-based and -Oriented DDoS (AbO-DDoS) attacks. By exploiting a structural vulnerability in agentic logic named Semantic Closure, an adversary can induce sustained recursive execution of agent components through a single textual injection. We demonstrate that this attack is exceptionally lightweight, stealthy against both traditional DDoS monitors and contemporary AI safety filters, and highly configurable, allowing for surgical targeting of specific environments or model providers. To evaluate the real-world impact, we conduct extensive experiments across three representative claw-style agents and three mainstream coding agents, integrated with 12 frontier proprietary or open-weight LLMs. Our results demonstrate that Mobius Injection achieves substantial attack success across diverse tasks, driving single-node call amplification up to 51.0x and multi-node p95 latency inflation up to 229.1x. The attack performance exhibits a superlinear increase with the number of poisoning nodes. To mitigate Mobius Injection, we propose a proactive defense mechanism using Agent Component Energy (ACE) Analysis, which detects malicious recursive triggers by measuring anomalous energy in the agent's component graph.