Overthinking Large Language Models: New DoS Threat to Reasoning Models Unveiled

The paper introduces a black‑box hierarchical genetic algorithm that automatically perturbs the logical structure of reasoning questions to induce excessive chain‑of‑thought in large language models, dramatically inflating output tokens (up to 26.1× on MATH) and creating a DoS‑style resource‑exhaustion attack, with extensive experiments across multiple models demonstrating the vulnerability and its transferability.

Machine Learning Algorithms & Natural Language Processing
Machine Learning Algorithms & Natural Language Processing
Machine Learning Algorithms & Natural Language Processing
Overthinking Large Language Models: New DoS Threat to Reasoning Models Unveiled

Recent large language models (LLMs) have progressed from simple chat to complex reasoning tasks such as mathematical problem solving, code generation, scientific analysis, and agent decision‑making. While reasoning ability improves utility, it also introduces a new security risk.

Unlike ordinary LLMs, reasoning models generate longer “thinking chains” before answering. When a query contains missing conditions, logical contradictions, or structural misalignments, the model may not reject the input quickly; instead it enters an “over‑thinking” loop, repeatedly checking the problem, proposing hypotheses, self‑correcting, and re‑computing. This behavior inflates the number of output tokens, increases inference latency, and raises energy consumption, providing an avenue for denial‑of‑service (DoS) attacks that exhaust computational resources without delivering harmful content.

The authors propose HGA (Hierarchical Genetic Algorithm), a black‑box attack that requires no access to model weights, gradients, or internal architecture. HGA automatically manipulates the logical structure of a reasoning question to trigger excessive chain‑of‑thought. The method consists of four steps:

Problem structuring : each reasoning question is decomposed into a set of premises and a final question, turning the raw text into a manipulable structured object.

Fitness evaluation : a composite fitness function measures (a) output length (token count) and (b) the presence of over‑thinking markers such as “but”, “wait”, “maybe”, “perhaps”, “another”, “alternatively”.

Hierarchical genetic operations : two crossover types (question‑level and premise‑level) and two mutation types (premise deletion and premise addition) are applied to create logical misalignments while keeping the input superficially question‑like.

Black‑box evolutionary search : candidate perturbed questions are fed to the target model, fitness scores are computed, high‑fitness individuals are selected, and the next generation is produced via the genetic operators.

In the first step, premises can be swapped between questions, removed, or replaced with irrelevant premises from other questions, thereby breaking the logical chain that the model relies on.

The fitness function rewards longer outputs and the occurrence of over‑thinking markers, ensuring that the search does not merely produce verbose but structurally meaningless text.

Experiments were conducted on four mainstream reasoning models—DeepSeek‑R1, Qwen3‑Thinking, GPT‑o3, and Gemini‑2.5‑Flash—using three benchmark datasets (SVAMP, GSM8K, MATH). Baselines included a simple “Base” prompt and the MIP method that removes premises. HGA consistently outperformed baselines:

On the MATH dataset, output length increased up to 26.1× compared with the original prompt.

For GPT‑o3, HGA‑generated attacks yielded responses of up to 6562 tokens , a 7.2× increase over MIP.

All models showed at least a 2× average token‑length increase over Base across datasets.

Ablation studies revealed that larger population sizes and more generations provide diminishing returns, and that removing the over‑thinking marker component from the fitness function significantly reduces attack effectiveness.

Transferability experiments demonstrated that adversarial inputs crafted using a small proxy model remain highly effective against large commercial LLMs, indicating that the over‑thinking vulnerability is shared across different architectures rather than being a model‑specific flaw.

In summary, HGA uncovers a “over‑thinking” weakness in large language reasoning models when faced with logically incomplete or contradictory inputs. By exploiting this weakness, attackers can dramatically raise inference costs and launch DoS‑style attacks. The study provides a new perspective on computational security of LLMs and a foundation for designing robust defensive mechanisms.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LLMmodel securityDoS attackoverthinkinghierarchical genetic algorithmreasoning vulnerability
Machine Learning Algorithms & Natural Language Processing
Written by

Machine Learning Algorithms & Natural Language Processing

Focused on frontier AI technologies, empowering AI researchers' progress.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.