Security issue: Attackers Scanning Runpod pods?
Hello, over the past month or so, I have been noticing that whenever I spin up a new pod, I instantly start seeing these pings:
INFO: Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit)
INFO: 100.64.0.33:33194 - "GET /v1/models HTTP/1.1" 200 OK
ERROR 01-10 08:39:01 serving_chat.py:114] Error with model object='error' message='The model
vllm-vl does not exist.' type='NotFoundError' param=None code=404
INFO: 100.64.0.32:51002 - "POST /v1/chat/completions HTTP/1.1" 404 Not Found
INFO: 100.64.0.35:50500 - "GET /v1/models HTTP/1.1" 200 OK
ERROR 01-10 08:39:11 serving_chat.py:114] Error with model object='error' message='The model vllm-vl does not exist.' type='NotFoundError' param=None code=404
INFO: 100.64.0.35:50500 - "POST /v1/chat/completions HTTP/1.1" 404 Not Found
INFO: 100.64.0.33:49030 - "GET /v1/models HTTP/1.1" 200 OK
ERROR 01-10 08:39:26 serving_chat.py:114] Error with model object='error' message='The model vllm-vl does not exist.' type='NotFoundError' param=None code=404
Where "vllm-vl" is the name of my template and therefore the name of my pod.
I am not pinging this server, it happens nearly immediately after I spin it up.
My guess about what is happening is that attackers are identifying new runpod pod ids on the public registry. They then can assume that a fair number of these servers are running vllm, sglang, or tgi. They then "guess" about how to make an API call to the endpoint by using the pod name (not exactly sure how they get this) as the model name. Many templates simply have the model name as the template name so this is a fair assumption. They can then use this process to get free LLM calls on the communities pods.4 Replies
It is either that, or there is some internal runpod test happening.
Has anyone else experienced this?
What I am also confused by, is I thought that you had to pass your runpod API key to be able to access these servers but that definitely isn't the case. I can easily run inference on my servers without passing my key with an empty bearer token.
@thanatos121.
Escalated To Zendesk
The thread has been escalated to Zendesk!
No, what you're guessing is true for serverless but in pods you have to make your own Auth in your application for inference ( e.g vllm, sglang)
That's weird yeah. It's coming from internal, are you using secure cloud or community cloud? If secure cloud in what region too
Secure cloud only. I set it to ANY region. But it happens very consistently. I will spin one up and let you know which region it is in