What is Denial of Service (MCP)?

Denial of service (DoS) attacks on MCP infrastructure target the availability of tool services that agents depend on. If the database MCP server is overwhelmed, the agent can't query data. If the payment server is down, the agent can't process transactions. Unlike web application DoS where users see error pages, MCP DoS causes agents to fail silently or enter error loops.

Attack vectors include volumetric flooding (sending thousands of tool calls per second), resource-intensive calls (requesting expensive database queries or large file reads), connection exhaustion (opening many concurrent MCP sessions), and recursive tool calls (triggering tools that call other tools in amplification patterns).

In the MCP ecosystem, DoS can come from external attackers, but also from compromised agents or malicious servers. A manipulated agent in an agentic loop might repeatedly call the same tool, unintentionally DoS-ing the server. A malicious server might return responses that cause the agent to make exponentially more calls — a protocol-level amplification attack.

The impact extends beyond availability. If the DoS forces a fail-open condition — where the system allows operations without policy checks because the policy server is down — the attack becomes a gateway to bypass security controls entirely.

Intercept provides built-in rate limiting through YAML policies, capping the number of tool calls per time window at both global and per-tool levels. This prevents both external DoS and agent-driven resource exhaustion. Critically, Intercept's fail-closed design means that if Intercept itself is overwhelmed, tool calls are blocked rather than allowed — the system never degrades into a fail-open state that bypasses policies.