The AI Reconnaissance: 91,000 Attacks Target Exposed LLM Infrastructure

Adversaries have embarked upon a pervasive reconnaissance of the internet, systematically identifying misconfigured proxy servers that facilitate unauthorized access to commercial services predicated on Large Language Models (LLMs). This campaign, manifesting as a methodical intelligence-gathering operation rather than mere erratic scanning, has been active since at least late December.

According to the threat intelligence platform GreyNoise, attackers have scrutinized over 73 LLM-related endpoints, generating more than 80,000 sessions. The methodology involves “silent” inquiries—terse greetings, vacant strings, or neutral factual queries—designed to ascertain the specific accessible model while circumventing detection systems and logging mechanisms.

Over the preceding four months, GreyNoise’s Ollama-based honeypots intercepted a total of 91,403 access attempts attributable to two distinct campaigns. The initial offensive commenced in October and remains ongoing, reaching a crescendo during the Christmas holidays with 1,688 sessions recorded within a 48-hour window. In these instances, assailants exploited Server-Side Request Forgery (SSRF) vulnerabilities, coercing servers into establishing connections with external infrastructures under their dominion.

Researchers observed that the perpetrators manipulated Ollama’s model-loading mechanism by injecting deleterious registry URLs and Twilio SMS webhook integrations via the MediaURL parameter. Notably, they utilized the ProjectDiscovery OAST (Out-of-Band Application Security Testing) infrastructure—a tool typically reserved for legitimate security audits. GreyNoise suggests this indicates a “gray zone” of activity, potentially spearheaded by researchers or bug bounty participants, though the sheer scale and deliberate timing transcend the boundaries of conventional auditing.

Telemetry reveals that this particular campaign emanated from 62 IP addresses spanning 27 nations, with characteristics more indicative of Virtual Private Servers (VPS) than traditional botnets.

The secondary campaign, initiated on December 28, exhibited a marked escalation in aggression, yielding 80,469 sessions within a mere eleven days. Just two IP addresses meticulously scrutinized over 73 endpoints, utilizing both OpenAI-compatible APIs and Google Gemini formats. The target list encompassed solutions from nearly every major provider, including iterations of GPT-4o, the Claude lineage, Llama 3, DeepSeek-R1, Gemini, Mistral, Qwen, and Grok.

The infrastructure facilitating these scans has a historical association with large-scale vulnerability exploitation, suggesting a focused reconnaissance mission to map available LLM services. While definitive evidence of subsequent data exfiltration or model abuse remains elusive, researchers emphasize that such exhaustive scanning is rarely performed without a specific objective. GreyNoise posits that an investment of this magnitude in infrastructure mapping is invariably a precursor to future exploitation.

To fortify defenses, it is recommended to restrict Ollama model loading exclusively to trusted registries, implement outbound traffic filtering, and block known OAST domains at the DNS level. Furthermore, to thwart endpoint enumeration, organizations should impose rate limits on suspicious autonomous systems and monitor JA4 network fingerprints characteristic of automated scanning implements.