Resource Exhaustion Attacks

Autonomous agents run iterative loops and can issue actions far faster and longer than a human operator, which makes them a natural denial-of-service primitive when pointed at finite resources — CPU, memory, disk, file descriptors, network bandwidth, and (uniquely for LLM agents) paid API quotas and token budgets. The trust boundary violated is the absence of resource governance: agents are typically granted the ability to spawn processes, write files, open connections, and recurse without per-task caps, so an injected "run this until exhaustion" instruction executes unchecked. This maps to LLM10 (Unbounded Consumption): because each individual action (open a tab, write a file, make a request) is legitimate, the abuse is purely in unbounded *quantity*, which per-action policies don't catch.

• Enforce and monitor per-task budgets: CPU time, memory, disk, file descriptors, request count, and token/API spend
• Alert on rapid object-creation rates (tabs, processes, files, sockets) from an agent session
• Detect tight loops / unbounded recursion in agent action streams and abnormal call-rate spikes
• Watch disk/inode utilization and FD counts on agent hosts for sharp climbs

Resource exhaustion is most often an injected objective (T1 prompt injection) or a side effect of T11-AT-005 multi-agent contention and T11-AT-006 runaway reflection loops. It overlaps T11-AT-001 (tab-flood / T11-AP-001F) on browser agents and T11-AP-002H (recursive tool exhaustion) on tool-using agents, and can serve as cover/distraction while a parallel T11-AT-011 exfiltration runs.