lowexperimentalLinuxOCINetworkT1499

Linux Agent Repeated External Connection (Seed Rule)

Baseline seed rule to detect AI agent processes making high-frequency repeated external network connections, which may indicate beaconing behavior, an infinite retry loop, or API hammering that causes cascading service failures.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aicascading-failurebeaconingretry-looplinuxociowasp-asi08

Problem Statement

Runaway AI agents in an infinite loop or thrashing state can generate enough outbound traffic to exhaust network resources, hit API rate limits, or trigger DDoS protections on downstream services. These cascading effects can impact the entire OCI environment beyond the compromised agent.

Sample Logs

{"timestamp":"2025-01-10T10:00:00Z","computer_name":"oci-worker-35","user":"agent_svc","image":"/usr/bin/python3","destination_hostname":"api.openai.com","destination_ip":"104.18.6.192","destination_port":443,"initiated":true,"note":"connection 1 of 45 in 60 seconds"}

Required Fields

image

destination_hostname

destination_ip

destination_port

user

computer_name

False Positives

·Data ingestion agents that make many API calls as part of legitimate bulk data retrieval
·Agents with aggressive retry logic that trigger bursts during transient API errors

Tuning Guidance

Set per-destination thresholds rather than global ones to avoid suppressing agents making many calls to different approved endpoints. Focus on repeated connections to a single destination.