Amazon Web Services (AWS) doesn’t seek to simply mitigate DDoS attacks in progress. It takes the additional step of tracking down the source and preventing continuing attacks – and it is having new success against an old problem: IP spoofing.
For the last 20 years, attackers have had a major advantage. IP spoofing allows them to hide the source of the attack. Without knowing the source of the attack, it is difficult to prevent or halt it. Scrubbing stations can be used to sanitize the traffic (filter out false traffic) before it reaches the corporate network and causes harm, but it would be good to stop IP spoofing at its source.
SecurityWeek spoke to Tom Scholl, VP and distinguished engineer at Amazon, on how the organization tackles DDoS attacks to protect itself and its AWS customers. He has been particularly active tackling the IP spoofing problem.
“IP spoofing has been a problem on the internet for several decades,” he told SecurityWeek. “Back in 2000, there was even an RFC best current practice written to stress that networks should implement anti spoofing measures – but there has not been a lot of progress in getting this deployed globally across the internet.”
For the last few years, he has worked with private industry and collaborated with other networks to improve this. “We’ve really been able to move the needle here – we’ve definitely made a difference in disrupting IP spoofing-based attacks in the last few years through our heavy engagement with external networks – teaching them how to use their observability tools better so they can quickly identify and shut down this particular attack type.” The sheer size and global connectivity of AWS, and therefore to global visibility it can bring to bear, is an important part of this.
The company provides an example in an associated blog, involving an increase in IP spoofed traffic coming from a peer network. “One of the networks we work with was struggling to find the source of the spoofing, and it looked like more and more booters (on-demand DDoS attack services offered by enterprising criminals) were setting up shop behind them,” Scholl explains. He could see the surge from, but not the source within, the peer network.
He analyzed what he could see, and concluded the attackers were likely connected to the peer network from a specific region in Canada. But still the peer network could not identify which of its customers was originating the attack. “When Scholl dug into where people were purchasing hosts for spoofing and combined that with network path analysis to narrow the scope to a particular city, he triangulated the likely hosting provider they were using,” explains the blog.
A single Canadian internet hosting company had a number of its users originating attacks. Once the provider had been isolated, the peer network applied a firewall filter, blocked the ‘rogue’ provider, and the IP spoofing attacks stopped. This incident took more than a month for Scholl to resolve. Other incidents may take just a few minutes.
Richard Clayton, an academic at the UK’s Cambridge University and a founding director of the Cambridge Cybercrime Centre (CCC), comments “For the first time in 20 years, the community has moved the needle in dealing with the spoofing problem and Tom – and AWS – have been a huge part of this success.” CCC is based at the Cambridge university department of computer science and technology. It seeks to tackle cybercrime through data sharing and collaboration between academia, law enforcement, and private industry.
Scholl’s work is driven by the need to protect AWS and AWS customers from DDoS attacks, but doing so helps protect the entire internet. It is the size, reach, and connectivity of AWS that makes this possible and inevitable. By disrupting some of the DDoS infrastructure that threatens AWS, it prevents attacks against non-AWS customers via the same infrastructure. As of March 2024, AWS connects with nearly 5,000 networks in 184 locations.
“We use AWS systems to help parse through some of our network telemetry data, to better identify this attack traffic. It’s the same system we use to defend our own network,” said Scholl. “It comes down to having a large infrastructure and interconnection to many networks that gives us the level of visibility to identify bad traffic and identify where it is coming from. And we can then provide that level of detail to the external networks.”
It’s not just IP spoofing. “We also look at botnets and application-based attacks where we have insights into understanding and tracing back the infrastructure of those attacks. We work against different types of DDoS infrastructure and focus on the takedown and disruption of them. It’s not just IP spoofing, but botnet command and control servers, and application-based attacks that make use of open proxies.”
Of course, preventing attacks at source is only part of the solution – if there is a source, an attack is already in progress. “Any internet traffic that moves onto the AWS network is scrubbed by AWS Shield, which is our managed DDoS Protection Service,” said Scholl. “This mitigates thousands on a daily basis with 99% of those attacks automatically resolved. And the remaining attacks are remediated by a 24/7 response team.”
Related: DDoS Hacktivism is Back With a Geopolitical Vengeance
Related: New HTTP/2 DoS Attack Potentially More Severe Than Record-Breaking Rapid Reset