Amazon Web Services Inc. today provided details of a previously unknown internal suite of tools known internally as “MadPot” that the company is using to detect and successfully thwart thousands of cyberattacks.

MadPot has its origins in the late 2010s and uses intelligence gathered from a vast array of sensors deployed across AWS infrastructure. It monitors and analyzes potential threat interactions in real time to ensure the safety and integrity of its network and its customers. The service was built to accomplish two things: discover and monitor threat activities, and disrupt harmful activities whenever possible to protect AWS customers and others.

According to Mark Ryland, director at the Office of the CISO at AWS, MadPot has grown to become a sophisticated system of monitoring sensors and automated response capabilities. The sensors are said to observe more than 100 million potential threat interactions and probes every day, with about 500,000 of those observed activities advancing to the point where they can be classified as malicious.

The threat intelligence data is ingested, correlated and analyzed by MadPot to deliver actionable insights about potentially harmful activity happening across the internet. The service also includes response capabilities to automatically protect the AWS network from identified threats and generate outbound communications to other companies whose infrastructure is being used for malicious activities.

Any service or toolset from any company is only as good as its results and MadPot’s results are objectively impressive. According to Ryland, MadPot has been instrumental in identifying and neutralizing myriad cyberthreats.

In one such example, MadPot detected and analyzed a distributed denial of service botnet using a specific domain for command and control. It mapped out the threat, identified the IP addresses used by the servers, and coordinated with relevant hosting entities to neutralize the threat swiftly, the company said. MadPot has also identified the activities of the notorious Sandworm threat group, leading to timely mitigation actions.

Another MadPot achievement was the identification of Volt Typhoon, an allegedly Chinese state-sponsored threat actor that first emerged in May. Through investigation, MadPot identified unique signatures linked to this group’s activities, aiding the U.S. government’s cybersecurity advisory efforts.

In the first quarter of the year, MadPot processed 5.5 billion signals from internet threat sensors and 1.5 billion signals from AWS active network probes and managed to stop 1.3 million bot-driven distributed denial of service attacks. The data gathered from MadPot, including nearly 1,000 command-and-control botnet hosts, were shared with relevant hosting providers and domain registers.

Image: AWS