Customer-configured rules are now the biggest contributor to mitigated traffic as organizations adopt web application firewalls (WAFs) and improve at configuring/locking down their applications. That’s according to Cloudflare’s Application Security Report: Q2 2023, based on HTTP traffic observed by the firm between April and June. The research also found that CVEs dating back almost a decade are still being widely exploited to compromise machines that may be unpatched and running vulnerable software, while HTTP anomalies are the most common attack vector on API endpoints.
Application owners relying on geolocation blocks
Over the course of the last two quarters, Cloudflare has observed WAF-mitigated traffic surpassing DDoS mitigation, with the former now accounting for approximately 57% of all mitigations. Most of this increase has been driven by WAF custom rule blocks rather than WAF managed rules, indicating that these mitigations are generated by customer-configured rules for business logic or related purposes, according to the firm. Organizations are also adopting positive security models by allowing known good traffic as opposed to blocking only known bad traffic, according to Cloudflare.
Upon reviewing rule field usage across WAF custom rules, Cloudflare found that application owners are increasingly relying on geolocation blocks. In fact, 40% of all deployed WAF custom rules use geolocation-related fields to make decisions on how to treat traffic. While geolocation controls are unlikely to stop a sophisticated attacker, they are efficient at reducing the attack surface, Cloudflare noted. Another notable observation is the usage of bot management-related fields in 11% of WAF custom rules, a trend steadily increasing over time as more customers adopt machine learning-based classification strategies to protect their applications, the firm said.
Old CVEs still widely exploited, API traffic continues to grow
HTTP anomaly is the most common attack category blocked by WAF managed rules, contributing 32% of WAF managed rules mitigated traffic overall, according to the research. SQLi moved up to second position (13%), surpassing directory traversal (10%). Furthermore, old CVEs are still being exploited en masse, with Log4J and Atlassian Confluence code injection responsible for the vast majority of attack traffic seen, Cloudflare said.
Filtering on denial of service (DoS) blocking, the firm found that most mitigated traffic is attributable to one rule: 100031/ce02fd. This rule has a description of Microsoft IIS – DoS, Anomaly:Header:Range – CVE:CVE-2015-1635 and pertains to a CVE dating back to 2015 that affected a number of Microsoft Windows components resulting in remote code execution.
Cloudflare observed a continued growth in API traffic, with 58% of total dynamic traffic classified as API related, a 3% increase compared to Q1. What’s more, 65% of global API traffic is generated by browsers, the report said. Meanwhile, HTTP anomalies remain the most common attack vector on API endpoints (64%), followed by SQLi injection attacks (11%) and XSS attacks (9%).