Top Application Security Mitigations in Q1 2022

Top Application Security Mitigations in Q1 2022

In this article, we present some of the best practices to mitigate attacks. We pay special attention to bots and APIs, but you can find broader attack patterns at any time at radar.cloudflare.com.

Looking at global threats, here are Cloudflare’s top mitigation measures used from January 2022 through March 2022 to keep customer sites and applications online and secure.

Cloudflare's Top Mitigated Traffic Sources
Source: Cloud Flare

Looking at each mitigation source individually:

  • 66% were Layer 7 DDoS mitigation; Unsurprisingly, this group is the largest contributor to mitigated HTTP requests. Cloudflare’s Layer 7 DDoS rules are fully managed and require no user configuration – they automatically detect a wide range of HTTP DDoS attacks. Volumetric DDoS attacks, by definition, create a large amount of malicious traffic.
  • 19% were due to custom WAF rules. These are user-configured rules defined using Cloudflare’s wireframe filter syntax.
  • 10.5% was contributed by Rate Limiting. Rate Limiting allows customers to define custom thresholds based on application preferences. It is often used as an additional layer of protection for applications against traffic patterns that are too low to be detected as a DDoS attack.
  • IP Threat Reputation is exposed in the Cloudflare Dashboard as a security level. Based on the behavior we observe on the network, Cloudflare automatically assigns a threat score to each IP address. When the threat score is above the specified threshold, we question the traffic. This represents 2.5% of all HTTP requests mitigated.
  • Our managed WAF rules match only valid malicious payloads. They contribute to around 1.5% of all requests mitigated.

Bot traffic insights
using bot management ranking data, clients gain insight into automated traffic that might be accessing their app.

38% of HTTP traffic is automated
During the time period analyzed, bot traffic represented around 38% of all HTTP requests. This traffic includes bot traffic from hundreds of bots tracked by Cloudflare, as well as any request that received a bot score of less than 30, indicating a high probability that it is automated.

Overall, when bot traffic matches a security setting, customers allow 41% of bot traffic to pass through to their origins, blocking only 6.4% of automated requests. This includes traffic from verified bots like Googlebot, which benefits site owners and end users.

API Traffic Highlights
Due to the underlying format of the data in transit, API traffic tends to be much more structured than standard web applications, causing all sorts of problems from a security standpoint. First, structured data often causes web application firewalls (WAFs) to generate a large number of false positives. Second, due to the nature of APIs, they often go unnoticed and many companies end up unknowingly exposing old, unmaintained APIs, often referred to as “shadow APIs.”

Below, we look at some differences in API trends compared to the global traffic stats shown above.

10% of API traffic is mitigated
A good portion of bot traffic accesses API endpoints. API traffic is the fastest growing type of traffic on the Cloudflare network, currently accounting for 55% of all requests.

APIs globally receive more malicious requests compared to standard web applications (10% vs. 8%), which could indicate that attackers are focusing more on APIs for their attack surface than standard web applications.

DDoS mitigation remains the leading source of mitigated events for APIs, accounting for just over 63% of all mitigated requests. More interestingly, custom WAF rules account for 35% compared to 19% when looking at global traffic. To date, customers have been heavily using WAF custom rules to block and validate traffic to API endpoints, although we expect our API Gateway schema validation feature to soon surpass WAF custom rules in terms of mitigated traffic. This is important considering that SQLi is the most common attack vector on API endpoints.

Get started with attack protection
In the first quarter of this year, governments, companies and individuals suffered cyberattacks of increasing complexity. These mitigation insights underscore the need to explore the appropriate way to block attacks without disrupting or slowing down the business of the day. Learn more about managing your security posture.

About the authors

Photo by Michael Tremante

Michael Tremante is a London-based Product Manager at Cloudflare for WAF (Web Application Firewall). He considers web security and performance to be “nice perks of my job.” He keeps himself busy with side projects at dodify and Spesati, where he is also a sysadmin and front-end developer.

Sabina Zejnilovic photo

Sabina Zejnilovic is a Cloudflare Data Scientist from Sarajevo, Bosnia and Herzegovina, with academic and industry experience. She has a double degree doctorate. in Electrical and Computer Engineering (ECE), at the Higher Technical Institute of the Technical University of Lisbon (IST/UTL) and Carnegie Mellon University (CMU).

david belson photo

David Belson is Director of Data Insight at Cloudflare and has over 25 years of experience in the Internet infrastructure space, including content delivery networks, DNS, and web hosting. He has also been generating thought leadership and garnering media coverage based on Internet monitoring and measurement data for over a decade.

Leave a Comment