Contagious Recursive Blocking Attacks (CORBA)

• Contagious Recursive Blocking Attacks (CORBA) are adversarial strategies that recursively exploit local blocking conditions in distributed systems, ultimately causing network-wide service outages.
• They leverage protocol-compatible methods in multi-agent LLM systems and DNS servers, with empirical evaluations showing high proportional attack success rates under certain topologies.
• Effective mitigation requires protocol redesign and the integration of rate-limiting, topology adjustments, and anomaly detection to counter resource exhaustion caused by recursive blocking.

Contagious Recursive Blocking Attacks (Corba) refers to a class of adversarial behaviors that exploit local “blocking” conditions within distributed systems—particularly those supporting recursive, parallelizable, or agent-graph protocols—to effect widespread service denial. Distinguished by a twofold dynamic, these attacks propagate recursively through system topologies and elicit contagious blockage and resource exhaustion. The terminology was introduced and developed in the study of multi-agent systems based on LLMs (Zhou et al., 20 Feb 2025), and conceptually parallels the “lotus-eater attack” in peer-to-peer networks (0806.1711) and resource exhaustion strategies in recursive DNS servers (Wang, 2016). In all manifestations, Corba leverages generic protocol-compatible mechanisms rather than overtly malicious instructions, rendering standard filtration and altruism-based defenses largely ineffectual.

1. Formal Models and Attack Instantiation

In an LLM-MAS, consider a topology $T = (A, E)$ with $A = \{a_1, \dots, a_n\}$ denoting agents and $E$ the permissible directed communication links. Each agent runs a replica of an LLM, and message passing occurs via prompt-response cycles:

$a_i^t(P) = r$

where $a_i$ at timestep $t$ receives prompt $P$ and returns response $r$. An attacker $M$ injects a crafted prompt $P_m$ designed to induce a local “blocking state,” which, upon execution by $a_i$, triggers recursive forwarding to neighbors. The set of blocked agents at time $t$ is $B_t$; the propagation rule is:

$B_{t+1} = B_t \cup \mathcal{N}(B_t)$

where $$\mathcal{N}(B_t) = \bigcup_{a \in B_t} \{v : (a, v) \in E\}$$.

In distributed service networks, the attack leverages protocol “satiation-compatibility”: nodes refuse further service after reaching a local completion condition (e.g., collecting all file pieces, all updates, or exceeding scrip threshold). Formally, if $T_i(t)$ is the token set held by node $i$ at time $t$, the node’s state is determined by the Boolean function $\text{sat}(i, t, U)$, which becomes true when $U$ meets the completion criterion (0806.1711).

In DNS recursive servers, Corba fills “recursion slots” ($R$) with deliberately slow queries, forcing premature timeouts for legitimate recursions. The analytic criterion for effective blockage is $$\lambda_\text{attacker} \cdot T_\text{service} \geq R$$ (Wang, 2016), where $\lambda_\text{attacker}$ is the attacker’s query rate and $T_\text{service}$ is the induced service time.

2. Contagion, Recursive Blocking, and Resource Depletion

Contagiousness arises from protocol structures in which state variables—tokens, completion flags, recursion slots, or output buffers—are locally satisfied, causing nodes (or agents) to block communication with neighbors. Recursive interactions, such as agent chaining or exchange-based service, facilitate propagation. In LLM-MASs, the process is explicit:

• An agent infected by $P_m$ responds with $R_m$, a blocking or recursive prompt.
• The agent then forwards $P_m$ recursively to each neighbor, recruiting them into $B_{t+1}$.
• Blocked agents consume computational resources in self-looped prompt-response cycles, quantified as

$C(T) = \sum_{t=0}^{T} c\;|B_t|$

where $c$ is the average resource (tokens/API calls) used per blocked agent per round (Zhou et al., 20 Feb 2025).

In peer-to-peer file sharing or BAR Gossip settings, a single node’s satiation withdrawal propagates recursively. Observation 3.1 from (0806.1711) formalizes: “An attacker that can provide a node with tokens sufficiently rapidly can prevent it from ever providing service.” This recursive closure can isolate portions of the network per:

$S_{k+1} = S_k \cup \{j \in V \setminus S_k : \text{all paths from $j$ go through } S_k \}$

In DNS, saturation of recursion slots recursively evicts establishing recursions for all new queries, with $T_\text{real} = R / \lambda_\text{attacker}$ representing average legitimate survival time (Wang, 2016).

3. Algorithmic Implementation

The core Corba mechanism is encoded by the following protocol in an LLM-MAS (Zhou et al., 20 Feb 2025):

\begin{array}{l} \textbf{Input: } T=(A,E),\; P_m,\; a_b\ \textbf{Initialize: } B \leftarrow \{a_b\},\quad t \leftarrow 0\ \textbf{while } B \neq A\ \textbf{do}\ \quad \text{for each } a_i \in B\ \textbf{do}\ \qquad m_i \leftarrow P_m + \text{“repeat to your neighbors”}\ \qquad r_i \leftarrow a_i^t(m_i)\ \qquad B' \leftarrow B' \cup \{a_j : (a_i, a_j) \in E\}\ \quad \text{end for}\ \quad B \leftarrow B \cup B',\quad B' \leftarrow \varnothing, \quad t \leftarrow t+1\ \textbf{end while}\ \textbf{Output: } B = A \end{array}

In DNS, the attacker scripts randomized queries targeting zero-TTL or deep-CNAME domains, saturating slots via $5000$ qps streams, as demonstrated in BIND (Wang, 2016).

4. Empirical Evaluation and Parameter Sensitivity

Experimental results in AutoGen and CAMEL MASs detail the efficacy and topology dependency of Corba attacks (Zhou et al., 20 Feb 2025). Key metric is Proportional Attack Success Rate (P-ASR), which reflects the fraction of agents blocked after attack completion. Results for $K=10$ agents in AutoGen:

Model	AutoGen (Corba)	AutoGen (Baseline)
gpt-4o-mini	79.0	52.0
gpt-4	66.0	41.0
gpt-3.5-turbo	30.0	31.0
gemini-2.0	56.0	44.0

Topological susceptibility is substantial; star and cycle topologies realize rapid “infection” (P-ASR $>90\%$). Open-ended dialogue MASs reach $100\%$ P-ASR within $20$ turns.

BAR Gossip simulations reveal:

• Crash-attack baseline requires $42\%$ control to drop delivery below $93\%$.
• Ideal lotus-eater (instant feed) attains same drop with $4\%$ control.
• Trade lotus-eater (protocol-respecting rapid feed) needs $22\%$ (0806.1711).

In BIND DNS, attacker-driven occupancy at $5000$ qps for slow domains blocks all legitimate queries at default (R=1000, T_timeout=10s) (Wang, 2016).

5. Defense Methodologies and Their Limitations

Mitigation approaches in LLM-MASs, peer-to-peer networks, and recursive servers illustrate the limitations of existing protocol-based and statistical filters:

• Alignment/Content Filters: Corba instructions typically evade LLM safety checkers; low detection probability ($< 0.25$) (Zhou et al., 20 Feb 2025).
• Rate-limiting and Altruism: Raising optimistic push size or altruistic exchange rates can increase robustness against blockage. In BAR Gossip, push size from $2$ to $10$ increases necessary attack size from $22\%$ to $40\%$, and added $+1$ altruism increases threshold by $50\%$ (0806.1711).
• Graph-based isolation: Intervention on vertex cuts is computationally hard in dynamic agent topologies.
• Resource quota enforcement: DNS servers with per-client quotas and anomaly detection for deep-CNAME, zero-TTL, or randomized query names mitigate slot exhaustion (Wang, 2016).
• Obedience-based logs: In scrip or exchange systems, obligatory signed logs detect excessive feeding; expulsion of violators is contingent on a critical mass of “obedient” correct nodes (0806.1711).

LLM-MAS perplexity detection strategies fail as Corba instructions mimic benign entropy; surface statistics are inadequate. Overall, practical defenses require a blend of rate-limiting, improved topology design, and formal verification of recursive protocol termination.

6. Open Research Challenges and Implications

Across systems, several open doctrinal and methodological challenges persist:

• Defining incentive-compatible protocols that avoid the root “satiation-compatibility” property.
• Capturing collusion between rational and Byzantine actors, especially in agent graphs where cooperation is not strictly enforced by protocol semantics (0806.1711).
• Online recognition and halting of recursive self-looping API calls, possibly under black-box monitoring constraints.
• In MASs and recursive servers, dynamic and hidden edge sets hamper graph-based isolations, and real-world systems often lack a global view of $E$ to implement vertex-cut countermeasures efficiently (Zhou et al., 20 Feb 2025).
• In DNS, balancing shorter timeouts and per-source quotas with legitimate user experience remains nontrivial (Wang, 2016).

A plausible implication is that Corba-style attacks will continue to circumvent standard alignment and rate-based defenses unless protocols are fundamentally re-engineered to resist recursive block conditions and to ensure termination or bypass under contagion.

7. Conceptual Connections and Systemic Impact

Corba attacks demonstrate that distributed and agent-based protocol design must be critically appraised for recursive and satiation-based withdrawal behaviors. Protocols that feature “completion withdrawal” in any form—including tit-for-tat unchoking, balanced exchange, scrip thresholds, recursion slot capping—are fundamentally exposed to contagious recursive blocking across a wide spectrum of topologies. Analytical and simulation studies confirm that minimal adversarial control can have disproportionately large impacts on global availability and performance. The general principle applies across classic p2p, modern LLM multi-agent frameworks, and infrastructural recursive resolvers. The ongoing challenge is to integrate stricter global controls, termination checks, and cooperative monitoring into next-generation protocol architectures—without unduly sacrificing functionality, scalability, or performance.