Connect with us

Hi, what are you looking for?


Cloud Security

Inside AWS’s Crusade Against IP Spoofing and DDoS Attacks

SecurityWeek speaks to Tom Scholl, VP and distinguished engineer at AWS, on how the organization tackles IP Spoofing and DDoS attacks.

How AWS disrupts DDoS attacks and is tackling IP Spoofing at the source

Amazon Web Services (AWS) doesn’t seek to simply mitigate DDoS attacks in progress. It takes the additional step of tracking down the source and preventing continuing attacks – and it is having new success against an old problem: IP spoofing.

For the last 20 years, attackers have had a major advantage. IP spoofing allows them to hide the source of the attack. Without knowing the source of the attack, it is difficult to prevent or halt it. Scrubbing stations can be used to sanitize the traffic (filter out false traffic) before it reaches the corporate network and causes harm, but it would be good to stop IP spoofing at its source.

SecurityWeek spoke to Tom Scholl, VP and distinguished engineer at Amazon, on how the organization tackles DDoS attacks to protect itself and its AWS customers. He has been particularly active tackling the IP spoofing problem.

“IP spoofing has been a problem on the internet for several decades,” he told SecurityWeek. “Back in 2000, there was even an RFC best current practice written to stress that networks should implement anti spoofing measures – but there has not been a lot of progress in getting this deployed globally across the internet.”

For the last few years, he has worked with private industry and collaborated with other networks to improve this. “We’ve really been able to move the needle here – we’ve definitely made a difference in disrupting IP spoofing-based attacks in the last few years through our heavy engagement with external networks – teaching them how to use their observability tools better so they can quickly identify and shut down this particular attack type.” The sheer size and global connectivity of AWS, and therefore to global visibility it can bring to bear, is an important part of this.

Tom Scholl, AWS VP and Distinguished Engineer 

The company provides an example in an associated blog, involving an increase in IP spoofed traffic coming from a peer network. “One of the networks we work with was struggling to find the source of the spoofing, and it looked like more and more booters (on-demand DDoS attack services offered by enterprising criminals) were setting up shop behind them,” Scholl explains. He could see the surge from, but not the source within, the peer network.

He analyzed what he could see, and concluded the attackers were likely connected to the peer network from a specific region in Canada. But still the peer network could not identify which of its customers was originating the attack. “When Scholl dug into where people were purchasing hosts for spoofing and combined that with network path analysis to narrow the scope to a particular city, he triangulated the likely hosting provider they were using,” explains the blog.

A single Canadian internet hosting company had a number of its users originating attacks. Once the provider had been isolated, the peer network applied a firewall filter, blocked the ‘rogue’ provider, and the IP spoofing attacks stopped. This incident took more than a month for Scholl to resolve. Other incidents may take just a few minutes. 

Richard Clayton, an academic at the UK’s Cambridge University and a founding director of the Cambridge Cybercrime Centre (CCC), comments “For the first time in 20 years, the community has moved the needle in dealing with the spoofing problem and Tom – and AWS – have been a huge part of this success.” CCC is based at the Cambridge university department of computer science and technology. It seeks to tackle cybercrime through data sharing and collaboration between academia, law enforcement, and private industry.

Advertisement. Scroll to continue reading.

Scholl’s work is driven by the need to protect AWS and AWS customers from DDoS attacks, but doing so helps protect the entire internet. It is the size, reach, and connectivity of AWS that makes this possible and inevitable. By disrupting some of the DDoS infrastructure that threatens AWS, it prevents attacks against non-AWS customers via the same infrastructure. As of March 2024, AWS connects with nearly 5,000 networks in 184 locations.

“We use AWS systems to help parse through some of our network telemetry data, to better identify this attack traffic. It’s the same system we use to defend our own network,” said Scholl. “It comes down to having a large infrastructure and interconnection to many networks that gives us the level of visibility to identify bad traffic and identify where it is coming from. And we can then provide that level of detail to the external networks.”

It’s not just IP spoofing. “We also look at botnets and application-based attacks where we have insights into understanding and tracing back the infrastructure of those attacks. We work against different types of DDoS infrastructure and focus on the takedown and disruption of them. It’s not just IP spoofing, but botnet command and control servers, and application-based attacks that make use of open proxies.”

Of course, preventing attacks at source is only part of the solution – if there is a source, an attack is already in progress. “Any internet traffic that moves onto the AWS network is scrubbed by AWS Shield, which is our managed DDoS Protection Service,” said Scholl. “This mitigates thousands on a daily basis with 99% of those attacks automatically resolved. And the remaining attacks are remediated by a 24/7 response team.”

Related: DDoS Hacktivism is Back With a Geopolitical Vengeance

Related: New HTTP/2 DoS Attack Potentially More Severe Than Record-Breaking Rapid Reset

Related: US Government Issues New DDoS Mitigation Guidance

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights