In this article, we outline some best practices for mitigating attacks. We pay special attention to bots and APIs, but you can find broader attack patterns anytime on radar.cloudflare.com.
For global threats, these are Cloudflare’s top mitigations that were used from January 2022 through March 2022 to keep customer sites and applications online and safe.
Looking at each source of attenuation individually:
- 66% were Layer 7 DDoS mitigation; unsurprisingly, this group is the biggest contributor to mitigated HTTP requests. Cloudflare’s Layer 7 DDoS rules are fully managed and require no user configuration: they automatically detect a wide range of HTTP DDoS attacks. Volumetric DDoS attacks, by definition, create a lot of malicious traffic!
- 19% was due to custom WAF rules. These are user-configured rules defined using Cloudflare’s wirefilter syntax.
- 10.5% was contributed by Rate Limiting. Rate limiting allows customers to set custom thresholds based on application preferences. It is often used as an additional layer of protection for applications against traffic patterns too weak to be detected as a DDoS attack.
- IP Threat Reputation is exposed in the Cloudflare Dashboard as a Security Level. Based on the behavior we observe on the network, Cloudflare automatically assigns a threat score to each IP address. When the threat score is above the specified threshold, we test the traffic. This represents 2.5% of all mitigated HTTP requests.
- Our managed WAF rules only match valid malicious payloads. They contribute about 1.5% of all mitigated claims.
Bot traffic information
Using Bot management classification data, customers gain insight into the automated traffic likely to access their application.
38% of HTTP traffic is automated
During the time period analyzed, bot traffic accounted for approximately 38% of all HTTP requests. This traffic includes bot traffic from hundreds of bots tracked by Cloudflare, as well as any request that received a bot score below 30, indicating a high likelihood of being automated.
Overall, when bot traffic matches a security configuration, clients allow 41% of bot traffic to pass to their origins, blocking only 6.4% of automated requests. This includes traffic from verified bots like Googlebot, which benefits site owners and end users.
API Traffic Highlights
Due to the underlying format of the data in transit, API traffic tends to be much more structured than standard web applications, which leads to all sorts of issues from a security perspective. First, structured data often causes web application firewalls (WAFs) to generate a large number of false positives. Second, due to the nature of APIs, they often go unnoticed and many companies end up unknowingly exposing old and unmaintained APIs, often referred to as “ghost APIs”.
Below, we look at some differences in API trends from the global traffic insights presented above.
10% of API traffic is mitigated
Much of the traffic from bots goes to API endpoints. API traffic is the fastest growing type of traffic on the Cloudflare network, currently accounting for 55% of total requests.
APIs receive more malicious requests overall compared to standard web applications (10% vs. 8%), potentially indicating that attackers are focusing more on APIs for their attack surface than standard web applications.
DDoS mitigation remains the top source of mitigated events for APIs, accounting for just over 63% of total mitigated requests. More interestingly, custom WAF rules account for 35% versus 19% when looking at global traffic. To date, customers have used custom WAF rules extensively to lock down and validate traffic to API endpoints, although we expect our API Gateway schema validation feature to soon exceed custom WAF rules in terms of reduced traffic. This is important given that SQLi is the most common attack vector on API endpoints.
Start with attack protection
During the first quarter of this year, governments, businesses and individuals faced cyberattacks of increasing complexity. This mitigation information underscores the need to explore the right way to block attacks without impairing or slowing down day-to-day activities. Learn more about security posture management.
about the authors
Michael Tremante is a London-based Product Manager at Cloudflare for WAF (Web Application Firewall). He considers web security and performance to be “nice extra perks of my job.” He takes care of side projects at dodify and Spesati, where he is also a system administrator and front-end developer.
Sabina Zejnilovic is a Cloudflare data scientist from Sarajevo, Bosnia and Herzegovina with industry and academic experience. She holds a double degree doctorate. in Electrical and Computer Engineering (ECE), at the Instituto Superior Técnico of the Universidade Técnica de Lisboa (IST/UTL) and at Carnegie Mellon University (CMU).
David Belson is Head of Data Insight at Cloudflare and has over 25 years of experience in Internet infrastructure, including Content Delivery Networks, DNS, and Web Hosting. He has also generated thought leadership and garnered media coverage based on Internet measurement and monitoring data for over a decade.