The agent-tool communication loop is a critical attack surface in modern Large Language Model (LLM) agents. Existing Denial-of-Service (DoS) attacks, primarily triggered via user prompts or injected retrieval-augmented generation (RAG) context, are ineffective for this new paradigm. They are fundamentally single-turn and often lack a task-oriented approach, making them conspicuous in goal-oriented workflows and unable to exploit the compounding costs of multi-turn agent-tool interactions. We introduce a stealthy, multi-turn economic DoS attack that operates at the tool layer under the guise of a correctly completed task. Our method adjusts text-visible fields and a template-governed return policy in a benign, Model Context Protocol (MCP)-compatible tool server, optimizing these edits with a Monte Carlo Tree Search (MCTS) optimizer. These adjustments leave function signatures unchanged and preserve the final payload, steering the agent into prolonged, verbose tool-calling sequences using text-only notices. This compounds costs across turns, escaping single-turn caps while keeping the final answer correct to evade validation. Across six LLMs on the ToolBench and BFCL benchmarks, our attack expands tasks into trajectories exceeding 60,000 tokens, inflates costs by up to 658x, and raises energy by 100-560x. It drives GPU KV cache occupancy from <1% to 35-74% and cuts co-running throughput by approximately 50%. Because the server remains protocol-compatible and task outcomes are correct, conventional checks fail. These results elevate the agent-tool interface to a first-class security frontier, demanding a paradigm shift from validating final answers to monitoring the economic and computational cost of the entire agentic process.

翻译：代理-工具通信循环是现代大型语言模型（LLM）代理的关键攻击面。现有的拒绝服务（DoS）攻击主要通过用户提示或注入的检索增强生成（RAG）上下文触发，对此新范式效果有限。这些攻击本质上是单轮次的，且通常缺乏任务导向性，使其在目标导向的工作流中易于暴露，亦无法利用多轮代理-工具交互的复合成本。我们提出一种隐蔽的多轮经济型DoS攻击，该攻击在工具层运作，伪装为正确完成的任务。我们的方法通过调整一个良性的、符合模型上下文协议（MCP）的工具服务器中的文本可见字段及模板控制的返回策略，并利用蒙特卡洛树搜索（MCTS）优化器对这些修改进行优化。这些调整保持函数签名不变并保留最终有效载荷，仅通过纯文本通知引导代理进入冗长的多轮工具调用序列。这使得成本在多个轮次中复合累积，从而突破单轮次限制，同时保持最终答案正确以规避验证。在ToolBench和BFCL基准测试的六个LLM上，我们的攻击将任务扩展至超过60,000个令牌的轨迹，使成本最高膨胀658倍，能耗提高100-560倍。它将GPU KV缓存占用率从<1%推升至35-74%，并使并行运行吞吐量降低约50%。由于服务器保持协议兼容且任务结果正确，传统检查手段均告失效。这些结果将代理-工具接口提升至一级安全前沿，要求从仅验证最终答案转向监控整个代理流程的经济与计算成本。