Nearly 7% of all internet traffic is malicious, says Cloudflare

Volume and scale of DDoS attacks ‘vast’

Shutterstock

Image:
Shutterstock

Cloudflare has released its latest State of Application Security Report and it makes for grim reading.

Cloudflare is a huge content delivery network and security company and it has visibility of the volume, velocity and variety of vast quantities of internet traffic. The patterns in this aggregated traffic is what provides the insights for the State of Application Security Report.

The findings, whilst not exactly cheering, are not unexpected. In addition to mitigating 6.8% of all web application traffic during the data collection period (31st March 23 to 1st April 24) DDoS attacks, which remain one of the most common web application attacks comprised 37.1% of all app-layer traffic mitigated by the company.

The 6.8% mitigation is an increase on the previous year, where the proportion stood at 6%. Whilst the report avoids speculation on the causes of what is a very clear upward trend in malicious activity it does note some spikes in activity that correlate very closely to geopolitical events and tensions.

For example, Cloudflare observed a 466% increase in DDoS attacks on Sweden after its acceptance to the NATO alliance on March 7, 2024. This mirrored the DDoS pattern observed during Finland's NATO acceptance in 2023.

More generally, the scale of DDoS attacks is vast. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDoS attacks. That total is nearly a third of all the DDoS attacks they mitigated for the whole of the previous year.

In October 2023, Cloudflare mitigated a hyper-volumetric DDoS attack that peaked at 201 million requests per second (rps) which is three times larger than any previously observed attack. Google Cloud reported the same attack, peaking at 398 million RPS. For comparison, Google cloud said in a blog post that the company saw more RPS in two minutes than Wikipedia saw traffic during the whole of September 2023.

Also of concern is the finding that the volume of zero-day threats has increased. More than 5000 CVEs were disclosed in 2023 but the mean average time to release a patch for what Cloudflare classifies critical severity web application vulnerabilities was 35 days.

New vulnerabilities are exploited very fast. In one case, attackers attempted to exploit a JetBrains TeamCity DevOps authentication bypass a mere 22 minutes after the proof-of-concept code was published.

Having said that, Cloudflare notes that attackers still target older, known vulnerabilities in the knowledge of just how slowly many organisations (many of which constitute National Critical Infrastructure) apply security patches.

The report also highlights the growing incidences of shadow APIs. The research found a gap of around 33% in API endpoints found by customer-provided identifiers and machine learning based discovery. Further, API traffic now constitutes 58% of the dynamic Internet traffic processed by Cloudflare. It doesn't take a cybersecurity specialist to identify an accident waiting to happen.