As the security landscape continues to evolve, so do the threats that businesses face online. Cloudflare's Application Security Report 2024 provides a comprehensive update on the latest trends in internet application security, offering key insights into the growing complexities of cyber threats. Here, we will dive into three critical insights: the rise in DDoS attacks, the prevalence of bot traffic, and the security risks associated with third-party scripts in enterprise applications.
The Changing Landscape of Cybersecurity: Insights from Cloudflare's 2024 Reports
Surge in DDoS Attacks
One of the most striking findings in the report is the significant increase in Distributed Denial of Service (DDoS) attacks. In the first quarter of 2024 alone, Cloudflare mitigated 4.5 million unique DDoS attacks, representing 32% of all DDoS attacks mitigated in 2023. Notably, application-layer HTTP DDoS attacks surged by 93% year-over-year. These attacks are becoming more sophisticated and voluminous, with the largest recorded attack peaking at 201 million requests per second due to a vulnerability in the HTTP/2 protocol.
DDoS attacks are often politically motivated or financially driven. For example, there was a 466% increase in DDoS attacks on Sweden following its NATO acceptance in March 2024. Gaming and gambling sectors, along with internet technology companies and cryptomining, are the most targeted by these attacks.
Most Attacked Industries
It will be no surprise that the Information Technology & Services industry was the most targeted by DDoS attacks. This ranking considers the total volume and relative attack traffic for both HTTP and network-layer DDoS attacks. However, the Telecommunications, Services Providers, and Carrier sectors followed closely tying for second place while the Consumer Goods industry ranked third. These rankings reflect that all industries face cyber threats and emphasize that no one can ignore information security.
Figure 1: 15 most attacked industries in 2024 Q2
The Role of Bot Traffic
Bots make up a substantial portion of internet traffic, with 31.2% of all application traffic being bot-related. While some bots perform legitimate functions, such as search engine indexing and customer service, a staggering 93% of bot traffic is unverified and potentially malicious. These bots are often used for activities like inventory hoarding, price scraping, and launching DDoS attacks.
Figure 2: Industries with the highest median daily share of bot traffic
The Risks of Third-Party Scripts in Enterprise Applications
Modern web applications almost always rely on third-party scripts to enhance functionality and speed up development. However, this dependency introduces significant security risks. An average enterprise application uses 47 third-party scripts! Some of these scripts are loaded directly by the end-user's browser, meaning organizations have limited control over them . Popular third-party scripts come from providers like Google, Meta, and Microsoft. Cookies from third parties also are controlled by third parties; web scanning tools such as Qualys repeatedly flag cookies from Google, Meta, etc missing security configurations such as the “Secure” and/or the “HTTPonly” attributes.
The Importance of Security in Content Management Systems
The insights from Cloudflare's 2024 reports highlight the escalating nature of cyber threats and the critical need for robust security measures. For organizations using web content management systems like Concrete CMS, these findings underscore the importance of comprehensive security features. Concrete CMS's commitment to enterprise security and compliance helps businesses stay resilient against these evolving threats.
- Cloudflare. (2024, July 12). Application security report: 2024 update. Cloudflare Blog. https://blog.cloudflare.com/application-security-report-2024-update
- Cloudflare. (2024, July 12). DDoS attack trends for Q2 2024. Cloudflare Radar. https://radar.cloudflare.com/reports/ddos-2024-q2