Tom Scholl is very serious about two things: 1) internet security and 2) cats.
It’s internet security that consumes the distinguished engineer’s days at Amazon Web Services (AWS), where he works on the AWS global network backbone and disrupts cyberattacks by tracking illegitimate traffic sources from computer systems around the world.
It’s Scholl’s five cats who, at least in part, have inspired an underground cat culture within dog-obsessed Amazon, along with his daily wardrobe rotation of more than 100 cat T-shirts. (More on this later.)
Scholl’s catlike curiosity fuels his work to keep internet users safe. If something looks awry across the vast number of networks that AWS connects with around the world, Scholl susses out the sources of unusual traffic spikes. And he has a rare vantage point, given that AWS connects with nearly 5,000 networks total, in 184 locations globally, as of March 2024.
Some of these suspicious traffic spikes can be a sign of Internet Protocol (IP) address “spoofing,” where a bad actor will impersonate another computer system’s numeric internet address to launch a hard-to-track cyberattack.
The attacks are a lot like a prank caller ringing a large number of people from a fake caller ID number, fooling them into calling back and overwhelming the line, at a massive scale. An IP spoof can lead to a distributed denial-of-service (DDoS) attack by tricking systems into thinking a deluge of fraudulent traffic is coming from one place, when really it is not. This can cause serious headaches (or worse) when the traffic jams up websites or applications. Depending on the scale, the impact of a DDoS attack on a business could be severe, resulting in the degradation of critical services, loss of productivity, extensive remediation costs, and reputational damage.
“It’s been kind of treated as an unsolvable problem,” Scholl said of this type of cyberattack. “But by working with networks, especially networks that have a large footprint, you can actually dive in and see where a lot of the stuff is coming from.”
Rooting out these bad-acting spoofers can seem like a relentless game of cat-and-mouse at times. But when Scholl plays the role of cat, the mouse gets caught.
The cat-and-mouse chase
That’s what happened last year when Scholl saw an increase of spoofing activity from an external network that AWS directly connects to (known as a “peer network”). Initially, Scholl could only see the surge in spoofed traffic within that network—but this particular peer could not trace the traffic’s origin.
An IP spoofing attack can have many components. But at minimum, an attack typically involves: 1) a bad-acting IP spoofer, 2) a hosting provider where that bad actor is able to set up shop, and 3) an upstream network where spoofing is able to proliferate.
“One of the networks we work with was struggling to find the source of the spoofing, and it looked like more and more booters (on-demand DDoS attack services offered by enterprising criminals) were setting up shop behind them,” Scholl said.
Scholl figured out that the attackers were most likely connected to the peer network from a specific region in Canada based on where traffic was coming from. Even armed with this information, the network had trouble identifying which of its customers was originating the attack. But when Scholl dug into where people were purchasing hosts for spoofing and combined that with network path analysis to narrow the scope to a particular city, he triangulated the likely hosting provider they were using.
It turned out that this single Canadian internet hosting company had a number of attacks coming from its users. Fortunately, once Scholl helped the peer network isolate the provider servicing these bad actors, a firewall filter was applied, cutting off its infrastructure—and the attacks stopped.
As cat-and-mouse pursuits go for Scholl, this was a relatively lengthy chase, lasting more than a month from start to finish. Sometimes his anti-spoofing cases take just minutes to crack, if peer networks are quick to respond. In complicated cases, Scholl might even map out the details of the spoofing sources and related networks with drawings to parse out the complex issues at hand.
Solving a once-impossible problem with sleuthing and diplomacy
Fighting cyberattacks doesn’t always require this kind of high-touch approach. Applications built on AWS benefit from native DDoS protections, and can be designed to be extremely resilient against DDoS attacks using AWS services and security controls.
All internet traffic that moves customers onto the AWS network is scrubbed by AWS Shield (a managed DDoS protection service), which automatically resolves more than 99% of DDoS attacks in the system—thousands on a daily basis. The remaining 1% are remediated by a 24/7 response team.
That’s where Scholl comes in. Experts say his work at AWS has made a dent in a decades-old internet safety issue that affects everyone online.
“Dealing with IP spoofing is a community effort and many people have made a contribution. Tom Scholl has done considerably more than most,” said Dr. Richard Clayton, an academic at the University of Cambridge and founding director of the Cambridge Cybercrime Centre. “For the first time in 20 years, the community has moved the needle in dealing with the spoofing problem and Tom—and AWS—have been a huge part of this success.”
Scholl sees it as his duty to wear many hats. Things can get tricky when hosting companies are reluctant or slow to take action when Scholl identifies spoofed traffic originating from their network. In these scenarios, he plays the role of diplomat and coach, persuading them to do the right thing, sometimes offering technical solutions or connecting them with the right vendors to make it easier to implement a fix.
This strategy is something he started working on in 2021, more than a decade after IP spoofing attacks first spiked. Scholl worked with other network operators who would review weekly reports on unusual traffic spikes that they would then trace to the original—usually fraudulent—source.
“I was like, 'The reports are great, but they’d come out weekly, and I didn’t want to wait until Sunday afternoon to act on it,’ Scholl recalled of the early days of his spoof detection work. “I’ve got the data now. I could just run this every single day, so why wait?”
That daily habit of checking reports and collaborating with other networks, customers, and partners continues to this day.
Keeping the internet safe for grumpy cats (and people) everywhere
Scholl’s hands-on approach to threat intelligence is a novel one, and one that few others dive into with such zeal. He and his team are at the tip of the spear of AWS’s DDoS mitigation efforts, which also include detecting botnets (networks of computers that have been infected by malware) and tracing HTTP request floods via open proxies (a ploy attackers use to hide their true origin), in addition to finding the source of spoofed IP traffic.
He often works from his home office outside Seattle, with one or more of his cats—Piggu, Izzy, Vincent, Theo, Luke—as company.
Scholl’s adjacent obsessions with both customers and cats have manifested in a series of internal cat-themed names for software projects he has worked on during his 13 years at Amazon, all tracked in a “cat-alogue,” of course. Colleagues and family members started giving him cat T-shirts, and his work uniform is now selected daily from his collection of more than 100 of them.
Somewhere along the way, a cat-themed “Meowstanding Award” was created for Amazon employees who demonstrate their ability to model Amazon’s “Be peculiar” mantra. (Yes, Scholl is a recipient.) Years ago, he even asked Amazon’s leaders if they would consider expanding the company’s bring-your-dog-to-work policies to include cats. (No, this did not happen, but Tom still laughs about it now.)
If you think about the large number of famous felines on the internet, and the amount of cat-themed data that must be saved—and secured—in the AWS Cloud, it only makes sense that Scholl would have a keen interest in protecting it all.
“There are a lot of cats on the internet. A lot of cat memes,” Scholl said. “The way I see it, cats and the internet go together.”
Scholl's efforts are just one of the ways AWS safeguards itself, its customers, and the entire internet—often behind the scenes. Read more about how AWS uses threat intelligence to protect customers and partners around the world while raising the bar for cybersecurity globally.