Model weight theft via egress throttling

Anthropic rate-limits cluster egress to make model-weight theft take weeks, not minutes BSides San Francisco
TL;DW
  • Anthropic's egress limiter counts all outbound bytes (including TCP ACKs, DNS, ICMP) and rate-limits them to make model weight theft take days/weeks instead of minutes, creating detection opportunities.
  • Model weights are terabytes of mostly incompressible data; legitimate cluster traffic (metrics, SSH, debugging) is only megabytes per second—this asymmetry is critical to the control's effectiveness.
  • Token bucket rate limiting allows burst traffic during off-peak hours but gradually throttles egress as the bandwidth bucket drains, providing better researcher experience than per-second limits.
  • Tiered enforcement: node-local traffic control handles accidental misconfigurations; perimeter routers (security control) bucket traffic by service type (logging, metrics, blob storage) to prevent one team's overages from impacting others.
  • IAM-enforced bucket boundaries prevent compute clusters from accessing external S3 buckets; proxies allow cross-boundary access only through the egress limiter for auditing and rate limiting.
  • Rollout killed ~98% of egress but took 4–6 months of reclassifying buckets and re-architecting systems; the final 2% (debugging, metrics, SSH) cannot be eliminated without major changes.
  • Research environments have huge attack surface (new dependencies, bleeding-edge stack, frequent vulnerabilities) adjacent to model weights worth hundreds of millions in compute—perimeter controls are necessary as defense-in-depth.
  • Accidentally misconfigured uploads now take days at 128 kbps instead of minutes, triggering alerts that inform researchers they're violating security policy rather than silently failing.
  • Egress limiting is a temporary fallback; long-term strategy is minimizing software touching unencrypted weights and securing that minimal set aggressively via TEEs and confidential compute—changes taking years.
  • Inference clusters also apply egress limiting but count bytes differently and accept additional risk on legitimate token traffic; future work explores subtracting model-generated tokens from egress limits.

By capping outbound bandwidth to ~100 Mbps at perimeter routers with per-service token buckets, Anthropic forces full-weight exfiltration—terabytes—to take weeks under assumed full-cluster compromise. The rollout cut egress 98% while keeping research workflows intact, buying detection time until TEEs and confidential compute mature.