Skip to content
.ca
sign in
4 minhigh

Silent Brothers | Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails

A joint research project by SentinelLABS and Censys discovered a massive, unmanaged network of over 175,000 publicly exposed Ollama instances. Many of these self-hosted AI models possess tool-calling and vision capabilities, creating significant security risks such as resource hijacking, prompt injection, and identity laundering through residential proxy abuse.

Conf:highAnalyzed:2026-03-09reports

Authors: SentinelLABS, Censys

ActorsUnspecified criminal organizationsState-sponsored actors
Resource HijackingOllamaLLMPrompt InjectionShadow AI

Source:SentinelOne

Key Takeaways

  • Over 175,000 publicly accessible Ollama hosts were identified globally, creating an unmanaged layer of AI compute infrastructure.
  • Nearly 50% of observed hosts advertise tool-calling capabilities, enabling them to execute code or access external APIs, significantly increasing the risk of excessive agency.
  • The ecosystem exhibits a brittle monoculture, heavily favoring Llama, Qwen2, and Gemma2 models, with 72% utilizing 4-bit quantization (specifically Q4_K_M).
  • Exposed instances pose severe risks including resource hijacking, identity laundering via residential IPs, and data theft via prompt injection in Retrieval-Augmented Generation (RAG) setups.
  • Geographic distribution shows high concentration in China (~30% of top 10) and the United States (~21% of top 10), spanning both hyperscalers and residential telecom networks.

Affected Systems

  • Ollama deployments bound to public interfaces (0.0.0.0)
  • Self-hosted LLM infrastructure
  • Residential and Telecom networks hosting AI models
  • Cloud VPS environments running open-weight models

Attack Chain

Attackers scan the internet for exposed Ollama API endpoints (typically port 11434) bound to public interfaces. Upon discovering an accessible instance, they query its capabilities to identify tool-calling, vision, or RAG configurations. Attackers then leverage these unauthenticated endpoints to execute prompt injection attacks, hijack compute resources for spam/phishing generation, or launder malicious traffic through residential IPs by exploiting the model's external interaction features.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but highlights the necessity of monitoring network traffic for exposed Ollama API ports and tracking child processes spawned by LLM tool-calling capabilities.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the Ollama process binding to public interfaces and monitor child processes spawned by tool-calling capabilities, but may lack visibility into the specific API payloads or prompt injections occurring within the application layer. Network Visibility: High — Network sensors can easily identify traffic communicating over the default Ollama port (11434) and detect unauthenticated API requests from external sources. Detection Difficulty: Moderate — Identifying exposed ports is trivial, but distinguishing legitimate self-hosted LLM usage from malicious prompt injection or resource hijacking requires deeper payload inspection and behavioral analysis.

Required Log Sources

  • Network flow logs
  • Process creation logs (Event ID 4688 / Sysmon Event ID 1)
  • Host firewall logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for the Ollama service executable binding to 0.0.0.0 or public IP addresses instead of the default localhost (127.0.0.1).Network connection logs, EDR network eventsInitial AccessLow
Monitor for unexpected child processes (e.g., cmd.exe, powershell.exe, python.exe) spawned by the Ollama service, indicating potential abuse of tool-calling capabilities.Process creation logsExecutionMedium

Control Gaps

  • Lack of centralized authentication for self-hosted open-source LLMs
  • Absence of built-in abuse monitoring in local deployment frameworks
  • Inability to enforce governance on residential and telecom networks

Key Behavioral Indicators

  • Ollama process listening on public IP interfaces
  • High volume of inbound requests to port 11434 from unknown external IPs
  • Ollama service spawning unusual child processes

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Ensure Ollama instances are bound only to localhost (127.0.0.1) unless explicitly required for external access.
  • Implement strict firewall rules to block external access to port 11434.

Infrastructure Hardening

  • Deploy reverse proxies with strong authentication (e.g., OAuth, mutual TLS) in front of any publicly accessible LLM APIs.
  • Segment AI compute infrastructure from sensitive internal networks to limit the blast radius of RAG or prompt injection attacks.

User Protection

  • Monitor residential and edge endpoints for unauthorized installation of local LLM frameworks.

Security Awareness

  • Educate engineering and data science teams on the risks of exposing local AI models and the severe implications of enabling tool-calling capabilities without authentication.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1090 - Proxy
  • T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

  • Other:
    • Q4_K_M - Dominant 4-bit quantization format observed across 48% of exposed Ollama hosts, indicating a monoculture that could amplify the impact of format-specific vulnerabilities.
    • 0.0.0.0 - Network interface binding configuration that exposes local Ollama instances to the public internet.

Related