lowexperimentalLinuxAI/MLT1499.004

LLM Service Rapid Writes To Cache Or Temp Directories

Detects high rates of file writes from LLM service processes to cache or temporary directories. Rapid writes may indicate an unbounded consumption attack that is flooding the disk, potentially causing storage exhaustion or degrading host performance.

Updated Jan 15, 2025 · Detection Engineering Team

llmunbounded-consumptionlinuxfile-writeowasp-llm10

Problem Statement

Rapid file writes to temporary or cache directories from an LLM service indicate disk exhaustion attacks that can cause service failures, cascade to dependent systems, and mask higher-severity concurrent attack activity.

Sample Logs

{"timestamp":"2025-01-15T14:01:00Z","computer_name":"llm-host-03","user":"llm_svc","image":"/opt/llm/app/cache_manager.py","target_filename":"/tmp/llm_cache_item_00847.json","write_count_per_minute":483}

Required Fields

image

target_filename

user

computer_name

False Positives

·High-throughput LLM services with aggressive caching strategies

Tuning Guidance

Baseline normal write rates per workload tier. Alert on rates exceeding 3x peak normal. Correlate with disk usage metrics.