あなたのAI開発環境、もう攻撃者に探されています - ハニーポットで見えたAIインフラへの偵察 Honeypot experiments show that attackers are actively scanning for self-hosted AI infrastr…

As self-hosted AI tooling becomes more accessible, a new and largely overlooked attack surface has emerged. Honeypot experiments conducted by security-aware developers indicate that AI infrastructure—Ollama endpoints, MLflow dashboards, vector databases—is being actively probed by automated scanners and opportunistic attackers. The finding is an uncomfortable reminder that the same ease of deployment that made local LLMs available to a broad developer audience may also be making those environments surprisingly easy for adversaries to locate.

The growth of local AI development stacks over the past two years has been striking. Ollama brought the ability to run LLaMA, Mistral, and other open-weight models to a developer's laptop with a single command. MLflow became a near-default for experiment tracking, and vector stores like Chroma, Qdrant, and Weaviate saw rapid adoption as RAG architectures went mainstream. What ties these tools together—for better and worse—is a design philosophy that prioritizes convenience. Default configurations frequently bind to open network interfaces without authentication, and developers who spin up a quick experiment often never revisit those settings before moving to a shared or cloud environment.

The author of the original article took a hands-on approach to quantifying this risk, deploying honeypots configured to mimic common AI development services and logging all unsolicited traffic. The recorded probes reportedly included requests targeting Ollama's default port (11434) and MLflow's web UI, suggesting that attackers have begun explicitly scanning for these services as part of their reconnaissance playbooks. Attributing intent from scan data alone always requires caution, but the pattern is consistent with a pre-exploitation discovery phase.

The potential motivations behind such scanning are varied. At the opportunistic end, attackers may be hunting for exposed GPU resources to commandeer for cryptomining—a well-documented threat against any accessible compute infrastructure. More targeted actors might be after model weights, seeking to use a compromised AI service as a pivot point for deeper network access, or looking to inject malicious inputs into RAG pipeline components. The relative novelty of these AI-specific attack vectors means many developers simply haven't worked through the threat models yet, which historically makes for attractive targets.

This is not entirely new territory for security researchers. Services like Shodan have long enabled anyone to search the internet for open ports and service banners, and reports of unauthenticated Ollama instances reachable from the public internet surfaced as early as early 2024. What the honeypot framing adds is a sense of active, ongoing demand—evidence not just that exposed services exist, but that someone is systematically searching for them.

The practical mitigations for developers are reasonably straightforward. Ollama can be constrained to a specific interface via the OLLAMA_HOST environment variable and should never be configured to listen on 0.0.0.0 in any networked context. MLflow ships with no authentication layer by default and should be placed behind a reverse proxy with access controls whenever it needs to be reachable over a network. Vector databases like Qdrant and Chroma both offer API key authentication that is frequently left disabled in out-of-the-box configurations; enabling it is a low-effort, high-value step. Network segmentation—keeping AI tooling inside a private subnet or behind a VPN—remains one of the most robust mitigations available.

The broader takeaway is structural. The democratization of AI tooling has moved faster than security awareness in parts of the developer community. As the population of engineers running local LLMs and RAG pipelines expands, the aggregate number of misconfigured, internet-exposed endpoints grows with it. Attackers are typically efficient about exploiting precisely that kind of asymmetry. The fact that a developer took the time to set up honeypots and document this behavior is itself a signal worth taking seriously.