Large language models (LLMs) can be driven into over-generation, emitting thousands of tokens before producing an end-of-sequence (EOS) token. This degrades answer quality, inflates latency and cost, and can be weaponized as a denial-of-service (DoS) attack. Recent work has begun to study DoS-style prompt attacks, but typically focuses on a single attack algorithm or assumes white-box access, without an attack-side benchmark that compares prompt-based attackers in a black-box, query-only regime with a known tokenizer. We introduce such a benchmark and study two prompt-only attackers. The first is Evolutionary Over-Generation Prompt Search (EOGen), which searches the token space for prefixes that suppress EOS and induce long continuations. The second is a goal-conditioned reinforcement learning attacker (RL-GOAL) that trains a network to generate prefixes conditioned on a target length. To characterize behavior, we introduce Over-Generation Factor (OGF), the ratio of produced tokens to a model's context window, along with stall and latency summaries. Our evolutionary attacker achieves mean OGF = 1.38 +/- 1.15 and Success@OGF >= 2 of 24.5 percent on Phi-3. RL-GOAL is stronger: across victims it achieves higher mean OGF (up to 2.81 +/- 1.38).

翻译：大型语言模型（LLM）可能被诱导进入过生成状态，在生成序列结束（EOS）标记前输出数千个标记。这会降低回答质量、增加延迟与成本，并可被武器化为拒绝服务（DoS）攻击。近期研究已开始探讨DoS式提示攻击，但通常聚焦于单一攻击算法或假设白盒访问权限，缺乏在已知分词器的黑盒、仅查询场景下比较基于提示的攻击者的攻击侧基准。我们引入了此类基准并研究了两种纯提示攻击方法。第一种是进化式过生成提示搜索（EOGen），该方法在标记空间中搜索能抑制EOS并诱导长序列延续的前缀。第二种是基于目标条件的强化学习攻击器（RL-GOAL），其训练神经网络生成以目标生成长度为条件的前缀。为量化攻击行为，我们引入了过生成因子（OGF）——即生成标记数与模型上下文窗口长度的比值，以及停滞与延迟统计指标。我们的进化攻击器在Phi-3模型上实现了平均OGF = 1.38 +/- 1.15，且OGF ≥ 2的成功率达到24.5%。RL-GOAL表现更强：在所有受测模型中其平均OGF更高（最高达2.81 +/- 1.38）。