A is incorrect: Mutual TLS provides strong bidirectional authentication by requiring both client and server to present certificates, ensuring only authenticated clients connect to the API. While mTLS prevents unauthorized access, it does not limit how many resources an authenticated user can consume. An attacker using valid credentials and a legitimate certificate could still send resource-intensive prompts that consume excessive tokens and drive up costs. Reference: https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/
B is correct: Enforcing token-based rate limits and spending quotas is the best mitigation for this attack, commonly referred to as a wallet attack or unbounded consumption. Token-based rate limiting restricts how many tokens each user or application can consume within a defined period, while spending quotas set hard financial caps on usage. Together, these controls prevent any single actor from generating excessive costs by constraining both the volume and the financial impact of API consumption at the gateway level. Reference: https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/
C is incorrect: Output content filtering inspects model-generated responses for harmful, toxic, or policy-violating content before delivery to the user. While important for responsible AI and preventing output abuse, content filtering does not address the resource consumption problem. The tokens are already consumed during model inference before the output is filtered, meaning the financial cost has already been incurred regardless of whether the response is ultimately blocked or delivered. Reference: https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/
D is incorrect: Diagnostic logging captures detailed records of API interactions including request payloads, response metadata, token usage, and error codes, which supports audit and forensic investigation. However, logging is a detective control that records events after they occur and does not actively prevent token overconsumption. The financial damage continues to accumulate while logs are being generated, requiring separate preventive controls to stop the attack. Reference: https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/