Ollama API DDoS/Rate Limit Abuse Detection
This detection identifies potential DDoS attacks or rate limit abuse against Ollama API endpoints by detecting excessive request volumes from individual client IP addresses.
This brief focuses on detecting potential Distributed Denial of Service (DDoS) attacks or rate limit abuse against Ollama API endpoints. The attack involves flooding the Ollama server with excessive API requests from individual client IP addresses within a short time frame. These attacks aim to exhaust server resources, leading to service degradation or complete unavailability. This behavior is typically associated with automated attacks, botnet activity, or resource exhaustion attempts targeting local AI model infrastructure and can severely impact the availability of Ollama services. Detection relies on analyzing GIN-formatted Ollama server logs to identify clients generating abnormally high request rates. The specific detection logic thresholds need to be tuned based on the environment baselines.
Attack Chain
- Attacker identifies publicly exposed Ollama API endpoint.
- Attacker crafts automated scripts or utilizes botnet to send a high volume of API requests.
- Attacker initiates the attack, flooding the Ollama server with requests from multiple source IPs or a single IP.
- Ollama server logs record each API request, including source IP, timestamp, and endpoint.
- The detection logic analyzes the logs, grouping requests by source IP address within a 5-minute window.
- The detection identifies source IPs exceeding a predefined request threshold (e.g., 120 requests per 5 minutes).
- Alert is triggered, indicating a potential DDoS attack or rate limit abuse from the identified source IP.
- Service degradation or unavailability occurs due to resource exhaustion.
Impact
A successful DDoS or rate limit abuse attack against an Ollama server can lead to significant service disruption. This can result in legitimate users being unable to access AI models, impacting critical workflows reliant on Ollama. The specific impact depends on the scale of the attack and the server's resource capacity. In severe cases, the server may become completely unresponsive, leading to a total outage. The attack can also negatively impact the reputation of the organization hosting the Ollama service.
Recommendation
- Deploy the Sigma rule
Ollama Excessive API Requeststo your SIEM and tune the threshold (request_count > 120) based on your environment's baseline traffic to reduce false positives. - Ingest Ollama logs into your SIEM using the recommended method (Splunk TA-ollama add-on, HTTP Event Collector) to populate the
ollama_servermacro referenced in the provided Sigma rule. - Investigate alerts generated by the Sigma rule
Ollama Excessive API Requeststo identify potentially compromised systems or malicious actors. - Implement rate limiting and request filtering at the network level to mitigate DDoS attacks and prevent abuse, and block malicious IP addresses identified from the SIEM alerts.
Detection coverage 2
Ollama Excessive API Requests
highDetects potential DDoS attacks or rate limit abuse against Ollama API endpoints by identifying excessive request volumes from individual client IP addresses.
Ollama API User Agent Anomaly
mediumDetects potential botnet activity by identifying unusual user agents in Ollama API requests.
Detection queries are available on the platform. Get full rules →