lowexperimentalLinuxAI/MLNetworkT1499.002

LLM Service Repeated External Network Connections

Detects high rates of outbound network connections from LLM service processes. A flood of connections may indicate the model is executing repeated external API calls, data exfiltration loops, or C2 beaconing triggered by an unbounded consumption attack.

Updated Jan 15, 2025 · Detection Engineering Team

llmunbounded-consumptionlinuxnetworkowasp-llm10

Problem Statement

A flood of outbound connections from an LLM service indicates unbounded consumption that can exhaust network resources and API rate limits, while also potentially indicating data exfiltration via repeated small transfers.

Sample Logs

{"timestamp":"2025-01-15T12:01:00Z","computer_name":"llm-host-02","user":"llm_svc","image":"/opt/llm/app/api_client.py","destination_hostname":"external-api.example.com","connection_count_per_minute":312}

Required Fields

image

destination_hostname

destination_ip

user

computer_name

False Positives

·High-throughput LLM services making many legitimate API calls to approved backends

Tuning Guidance

Set the threshold based on observed peak connection rates for normal workloads. Focus alerts on connections to new or unrecognised destinations.