Model weight theft via egress throttling
Anthropic rate-limits cluster egress to make model-weight theft take weeks, not minutes BSides San FranciscoTL;DW
- Anthropic's egress limiter counts all outbound bytes (including TCP ACKs, DNS, ICMP) and rate-limits them to make model weight theft take days/weeks instead of minutes, creating detection opportunities.
- Model weights are terabytes of mostly incompressible data; legitimate cluster traffic (metrics, SSH, debugging) is only megabytes per second—this asymmetry is critical to the control's effectiveness.
- Token bucket rate limiting allows burst traffic during off-peak hours but gradually throttles egress as the bandwidth bucket drains, providing better researcher experience than per-second limits.
- Tiered enforcement: node-local traffic control handles accidental misconfigurations; perimeter routers (security control) bucket traffic by service type (logging, metrics, blob storage) to prevent one team's overages from impacting others.
- IAM-enforced bucket boundaries prevent compute clusters from accessing external S3 buckets; proxies allow cross-boundary access only through the egress limiter for auditing and rate limiting.
- Rollout killed ~98% of egress but took 4–6 months of reclassifying buckets and re-architecting systems; the final 2% (debugging, metrics, SSH) cannot be eliminated without major changes.
- Research environments have huge attack surface (new dependencies, bleeding-edge stack, frequent vulnerabilities) adjacent to model weights worth hundreds of millions in compute—perimeter controls are necessary as defense-in-depth.
- Accidentally misconfigured uploads now take days at 128 kbps instead of minutes, triggering alerts that inform researchers they're violating security policy rather than silently failing.
- Egress limiting is a temporary fallback; long-term strategy is minimizing software touching unencrypted weights and securing that minimal set aggressively via TEEs and confidential compute—changes taking years.
- Inference clusters also apply egress limiting but count bytes differently and accept additional risk on legitimate token traffic; future work explores subtracting model-generated tokens from egress limits.
TL;DW
- Anthropic's egress limiter counts all outbound bytes (including TCP ACKs, DNS, ICMP) and rate-limits them to make model weight theft take days/weeks instead of minutes, creating detection opportunities.
- Model weights are terabytes of mostly incompressible data; legitimate cluster traffic (metrics, SSH, debugging) is only megabytes per second—this asymmetry is critical to the control's effectiveness.
- Token bucket rate limiting allows burst traffic during off-peak hours but gradually throttles egress as the bandwidth bucket drains, providing better researcher experience than per-second limits.
- Tiered enforcement: node-local traffic control handles accidental misconfigurations; perimeter routers (security control) bucket traffic by service type (logging, metrics, blob storage) to prevent one team's overages from impacting others.
- IAM-enforced bucket boundaries prevent compute clusters from accessing external S3 buckets; proxies allow cross-boundary access only through the egress limiter for auditing and rate limiting.
- Rollout killed ~98% of egress but took 4–6 months of reclassifying buckets and re-architecting systems; the final 2% (debugging, metrics, SSH) cannot be eliminated without major changes.
- Research environments have huge attack surface (new dependencies, bleeding-edge stack, frequent vulnerabilities) adjacent to model weights worth hundreds of millions in compute—perimeter controls are necessary as defense-in-depth.
- Accidentally misconfigured uploads now take days at 128 kbps instead of minutes, triggering alerts that inform researchers they're violating security policy rather than silently failing.
- Egress limiting is a temporary fallback; long-term strategy is minimizing software touching unencrypted weights and securing that minimal set aggressively via TEEs and confidential compute—changes taking years.
- Inference clusters also apply egress limiting but count bytes differently and accept additional risk on legitimate token traffic; future work explores subtracting model-generated tokens from egress limits.
By capping outbound bandwidth to ~100 Mbps at perimeter routers with per-service token buckets, Anthropic forces full-weight exfiltration—terabytes—to take weeks under assumed full-cluster compromise. The rollout cut egress 98% while keeping research workflows intact, buying detection time until TEEs and confidential compute mature.
