Top Application Security Mitigations in Q1 of 2022

In this article, we present some best practices to mitigate attacks. We pay special attention to bots and APIs, but you can find broader attack patterns anytime at radar.cloudflare.com.

When looking at global threats, these are the top Cloudflare mitigation measures that were used from January 2022 to March 2022 to keep customer sites and applications online, as well as secure.

Source: Cloudflare

Looking at each mitigation source individually:

  • 66% were Layer 7 DDoS mitigation; unsurprisingly, this group is the largest contributor to mitigated HTTP requests. Cloudflare’s layer 7 DDoS rules are fully managed and do not require user configuration: They automatically detect a vast array of HTTP DDoS attacks. Volumetric DDoS attacks, by definition, create a lot of malicious traffic!
  • 19% were due to Custom WAF Rules. These are user-configured rules defined using Cloudflare’s wirefilter syntax.
  • 10.5% were contributed by Rate Limiting. Rate Limiting allows customers to define custom thresholds based on application preferences. It is often used as an additional layer of protection for applications against traffic patterns that are too low to be detected as a DDoS attack.
  • IP Threat Reputation is exposed in the Cloudflare dashboard as Security Level. Based on behavior we observe across the network, Cloudflare automatically assigns a threat score to each IP address. When the threat score is above the specified threshold, we challenge the traffic. This accounts for 2.5% of all mitigated HTTP requests.
  • Our Managed WAF Rules match only against valid malicious payloads. They contribute to about 1.5% of all mitigated requests.

Bot Traffic Insights
Using Bot Management classification data, customers gain insight into the automated traffic that might be accessing their application.

38% of HTTP Traffic Is Automated
Over the time period analyzed, bot traffic accounted for about 38% of all HTTP requests. This traffic includes bot traffic from hundreds of bots tracked by Cloudflare, as well as any request that received a bot score below 30, indicating a high likelihood that it is automated.

Overall, when bot traffic matches a security configuration, customers allow 41% of bot traffic to pass to their origins, blocking only 6.4% of automated requests. This includes traffic coming from verified bots like Googlebot, which benefit site owners and end users.

API Traffic Highlights
Due to the underlying format of the data in transit, API traffic tends to be a lot more structured than standard Web applications, causing all sorts of problems from a security standpoint. First, the structured data often causes Web application firewalls (WAFs) to generate a large number of false positives. Second, due to the nature of APIs, they often go unnoticed, and many companies end up exposing old and unmaintained APIs without knowing, often referred to these as “shadow APIs.”

Below, we look at some differences in API trends compared to the global traffic insights shown above.

10% of API Traffic Is Mitigated
A good portion of bot traffic is accessing API endpoints. API traffic is the fastest-growing traffic type on the Cloudflare network, currently accounting for 55% of total requests.

APIs globally receive more malicious requests compared to standard Web applications (10% vs. 8%), potentially indicating that attackers are focusing more on APIs for their attack surface as opposed to standard Web apps.

DDoS mitigation is still the top source of mitigated events for APIs, accounting for just over 63% of the total mitigated requests. More interestingly, Custom WAF rules account for 35% compared to 19% when looking at global traffic. Customers have, to date, been heavily using WAF Custom Rules to lock down and validate traffic to API endpoints, although we expect our API Gateway schema validation feature to soon surpass Custom WAF Rules in terms of mitigated traffic. This is important considering SQLi is the most common attack vector on API endpoints.

Start With Attack Protection
In the first quarter of this year, governments, companies, and individuals experienced cyberattacks of increasing complexity. These mitigation insights underline the need to explore the proper way to block attacks without altering or slowing down the business of the day. Learn more about how to manage security posture.

About the Authors

Michael Tremante photo

Michael Tremante is a London-based product manager at Cloudflare for WAF (Web application firewall). He considers Web security and performance “nice added perks of my job.” He keeps busy with side projects at dodify and Spesati, where he’s also a sys admin, front-end developer.

Sabina Zejnilovic photo

Sabina Zejnilovic is a Cloudflare Data Scientist from Sarajevo, Bosnia and Herzegovina, and with industry and academic experience. She is a dual-degree Ph.D. in Electrical and Computer Engineering (ECE), at Instituto Superior Técnico of the Universidade Técnica de Lisboa (IST / UTL) and Carnegie Mellon University (CMU).

David Belson photo

David Belson is Head of Data Insight at Cloudflare and has more than 25 years’ experience in the Internet infrastructure space, including Content Delivery Networks, DNS, and Web hosting. He has also been generating thought leadership and earned media coverage based on Internet measurement and monitoring data for over a decade.

Source

In this article, we present some best practices to mitigate attacks. We pay special attention to bots and APIs, but you can find broader attack patterns anytime at radar.cloudflare.com.

When looking at global threats, these are the top Cloudflare mitigation measures that were used from January 2022 to March 2022 to keep customer sites and applications online, as well as secure.

Source: Cloudflare

Looking at each mitigation source individually:

  • 66% were Layer 7 DDoS mitigation; unsurprisingly, this group is the largest contributor to mitigated HTTP requests. Cloudflare’s layer 7 DDoS rules are fully managed and do not require user configuration: They automatically detect a vast array of HTTP DDoS attacks. Volumetric DDoS attacks, by definition, create a lot of malicious traffic!
  • 19% were due to Custom WAF Rules. These are user-configured rules defined using Cloudflare’s wirefilter syntax.
  • 10.5% were contributed by Rate Limiting. Rate Limiting allows customers to define custom thresholds based on application preferences. It is often used as an additional layer of protection for applications against traffic patterns that are too low to be detected as a DDoS attack.
  • IP Threat Reputation is exposed in the Cloudflare dashboard as Security Level. Based on behavior we observe across the network, Cloudflare automatically assigns a threat score to each IP address. When the threat score is above the specified threshold, we challenge the traffic. This accounts for 2.5% of all mitigated HTTP requests.
  • Our Managed WAF Rules match only against valid malicious payloads. They contribute to about 1.5% of all mitigated requests.

Bot Traffic Insights
Using Bot Management classification data, customers gain insight into the automated traffic that might be accessing their application.

38% of HTTP Traffic Is Automated
Over the time period analyzed, bot traffic accounted for about 38% of all HTTP requests. This traffic includes bot traffic from hundreds of bots tracked by Cloudflare, as well as any request that received a bot score below 30, indicating a high likelihood that it is automated.

Overall, when bot traffic matches a security configuration, customers allow 41% of bot traffic to pass to their origins, blocking only 6.4% of automated requests. This includes traffic coming from verified bots like Googlebot, which benefit site owners and end users.

API Traffic Highlights
Due to the underlying format of the data in transit, API traffic tends to be a lot more structured than standard Web applications, causing all sorts of problems from a security standpoint. First, the structured data often causes Web application firewalls (WAFs) to generate a large number of false positives. Second, due to the nature of APIs, they often go unnoticed, and many companies end up exposing old and unmaintained APIs without knowing, often referred to these as “shadow APIs.”

Below, we look at some differences in API trends compared to the global traffic insights shown above.

10% of API Traffic Is Mitigated
A good portion of bot traffic is accessing API endpoints. API traffic is the fastest-growing traffic type on the Cloudflare network, currently accounting for 55% of total requests.

APIs globally receive more malicious requests compared to standard Web applications (10% vs. 8%), potentially indicating that attackers are focusing more on APIs for their attack surface as opposed to standard Web apps.

DDoS mitigation is still the top source of mitigated events for APIs, accounting for just over 63% of the total mitigated requests. More interestingly, Custom WAF rules account for 35% compared to 19% when looking at global traffic. Customers have, to date, been heavily using WAF Custom Rules to lock down and validate traffic to API endpoints, although we expect our API Gateway schema validation feature to soon surpass Custom WAF Rules in terms of mitigated traffic. This is important considering SQLi is the most common attack vector on API endpoints.

Start With Attack Protection
In the first quarter of this year, governments, companies, and individuals experienced cyberattacks of increasing complexity. These mitigation insights underline the need to explore the proper way to block attacks without altering or slowing down the business of the day. Learn more about how to manage security posture.

About the Authors

Michael Tremante photo

Michael Tremante is a London-based product manager at Cloudflare for WAF (Web application firewall). He considers Web security and performance “nice added perks of my job.” He keeps busy with side projects at dodify and Spesati, where he’s also a sys admin, front-end developer.

Sabina Zejnilovic photo

Sabina Zejnilovic is a Cloudflare Data Scientist from Sarajevo, Bosnia and Herzegovina, and with industry and academic experience. She is a dual-degree Ph.D. in Electrical and Computer Engineering (ECE), at Instituto Superior Técnico of the Universidade Técnica de Lisboa (IST / UTL) and Carnegie Mellon University (CMU).

David Belson photo

David Belson is Head of Data Insight at Cloudflare and has more than 25 years’ experience in the Internet infrastructure space, including Content Delivery Networks, DNS, and Web hosting. He has also been generating thought leadership and earned media coverage based on Internet measurement and monitoring data for over a decade.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!