Cloudflare report reveals rising DDoS attacks & API risks

Cloudflare has released its 2024 State of Application Security Report, which highlights several critical challenges faced by application security teams globally.

Cloudflare's report delves into the risks related to supply chain issues, outdated security approaches, and the increasing efficiency of threat actors. It underscores that these security risks often surpass the resources available to dedicated application security teams.

One of the key takeaways from the report is the continued rise in Distributed Denial of Service (DDoS) attacks. DDoS attacks remain the most frequent threat vector targeting web applications and APIs, accounting for 37.1% of all application traffic mitigated by Cloudflare. The sectors most targeted by these attacks include Gaming and Gambling, IT and Internet, Cryptocurrency, Computer Software, and Marketing and Advertising.

Cloudflare's findings point out that the race between defenders and attackers has intensified, particularly evident in the speed at which new zero-day vulnerabilities are being exploited. An alarming example from the report notes that one such vulnerability was exploited a mere 22 minutes after its proof-of-concept (PoC) was published.

Matthew Prince, co-founder and CEO of Cloudflare, commented, "Web Applications are rarely built with security in mind. Yet, we use them daily for all sorts of critical functions, making them a rich target for hackers. Cloudflare's network blocks an average of 209 billion cyber threats for our customers every single day. The layer of security around today's applications has become one of the most essential pieces to making sure the Internet stays secure."

The report also highlights the significant threat posed by bad bots, which make up 31.2% of all traffic, with 93% of these bots classified as unverified and potentially malicious. The top industries targeted by bad bots include Manufacturing and Consumer Goods, Cryptocurrency, Security and Investigations, and the US Federal Government.

Another concerning trend is the outdated approaches that many organisations use to secure their APIs. Traditional web application firewall (WAF) rules, which operate on the assumption that most web traffic is benign, are commonly used to protect API traffic. However, far fewer organisations employ the more robust API security best practice of a positive security model, which strictly defines allowed traffic and rejects the rest.

The dependency on third-party software is also identified as a growing risk. The report states that enterprises typically use an average of 47 pieces of code from third-party providers and establish approximately 50 outbound connections to third-party resources. This includes leveraging services like Google Analytics or Ads. The increased reliance on third-party code and activity loaded in users' browsers exposes organisations to elevated supply chain risks and concerns related to liability and compliance.

The report's methodology is based on aggregated traffic patterns observed from April 1, 2023, to March 31, 2024, across Cloudflare's global network. During this period, Cloudflare mitigated 6.8% of all web application and API traffic, defining mitigated traffic as any traffic that was blocked or served a challenge by the company. The specific threat type and mitigation technique used varied based on factors like the potential security gaps in the applications, the nature of the victim's business, and the attackers' goals.