highexperimentalLinuxAI/MLT1499.004

LLM Service Recursive Self-Spawn

Detects an LLM service process that is both the parent and child in a process creation event, indicating recursive self-spawning. This fork-bomb pattern can exhaust process table limits and system resources, causing a complete host denial of service.

Updated Jan 15, 2025 · Detection Engineering Team

llmunbounded-consumptionlinuxfork-bombowasp-llm10

Problem Statement

An LLM service that spawns copies of itself recursively creates an exponential process growth pattern that exhausts the process table, memory, and CPU, causing a complete host denial of service within seconds.

Sample Logs

{"timestamp":"2025-01-15T22:55:01Z","computer_name":"llm-host-02","user":"llm_svc","image":"/opt/llm/app/worker.py","command_line":"python3 /opt/llm/app/worker.py --task recurse","parent_image":"/opt/llm/app/worker.py"}

Required Fields

image

parent_image

command_line

user

computer_name

False Positives

·Legitimate multi-process LLM worker pools where worker processes spawn sub-workers

Tuning Guidance

Limit to cases where the same executable path appears as both Image and ParentImage. Exclude known worker pool manager processes.