# LLM Denial of Service

- ID: python-llm-denial-of-service
- Severity: MEDIUM
- CWE: Resource Exhaustion (CWE-400)
- Languages: Python
- Frameworks: flask, django, fastapi

## Description

Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.

DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability

This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation

NOTE: Rate limiting is covered separately by framework-specific rate-limiting rules.

## Detection Message

LLM API call lacks resource limits ({issue_type})

## Remediation

Set max_tokens to limit response size and truncate user input.

```python
MAX_INPUT_LENGTH = 2000
MAX_OUTPUT_TOKENS = 500

user_message = request.json['message'][:MAX_INPUT_LENGTH]
response = openai.chat.completions.create(
    model='gpt-4',
    messages=[{'role': 'user', 'content': user_message}],
    max_tokens=MAX_OUTPUT_TOKENS
)
```

Learn more: https://shoulder.dev/learn/python/cwe-400/llm-denial-of-service

## Documentation

[object Object]

## Related Rules

- **LLM Denial of Service** [MEDIUM]: 
- **Missing Request Size Limits** [MEDIUM]: 
- **Denial of Service via Resource Exhaustion** [MEDIUM]: 
- **LLM Denial of Service** [MEDIUM]: 
- **Denial of Service via Unbounded Child Processes** [MEDIUM]: