Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,195
- Points
- 113
Cloudflare has published statistics on the nature of traffic processed by the content delivery system from April 1, 2023 to March 31, 2024. During the year, the share of questionable, malicious, or junk HTTP traffic that was blocked or redirected to verification pages for filtering out bots (JavaScript verification or captcha) increased from 6% to 6.8% on average for the year. The peak values of such traffic reached 12% on certain days.
53.9% of the traffic blocked or sent for additional verification is malicious activity, attack attempts and bot activity, 37.1% is DDoS attack traffic, and 7.2% is requests from IP addresses that have a bad reputation and are blacklisted.
Although denial-of-service DDoS attacks remain the most popular type of attack on web applications, there is an increase in the importance of attacks aimed at exploiting uncorrected vulnerabilities. Administrators are advised not to delay installing updates to fix critical vulnerabilities, as such attacks are becoming more rapid. For example, the JetBrains TeamCity product was attacked just 22 minutes after the prototype exploit for the uncorrected vulnerability CVE-2024-27198, which allows access without authentication, was made publicly available. The most active attacks include attempts to exploit vulnerabilities in Apache Struts (CVE-2023-50164), Apache Spark (CVE-2022-33891), Adobe Coldfusion (CVE-2023-29298, CVE-2023-38203, CVE-2023-26360) and MobileIron (CVE-2023-35082).
31.2% of all traffic is associated with bot activity, while only 7% of requests from bots are generated by known legitimate services, such as search engines, the remaining 93% are classified as unknown bots that can potentially perform malicious actions.
Among the trends, there is also an increase in traffic related to accessing the Web API, which returns responses in JSON or XML formats. The share of such requests reached 60% of all dynamically generated (non-cached) traffic. According to Cloudflare, a third of API requests are related to accessing" shadow " API handlers, which are not considered by organizations (they are not explicitly presented as publicly available Web APIs) and are not properly protected.
On average, Cloudflare's corporate clients use 47 third-party scripts in their web services. The most popular providers of third-party scripts are Google (Tag Manager, Analytics, Ads, Translate, reCAPTCHA, YouTube), Meta (Facebook Pixel, Instagram), Cloudflare (Web Analytics), jsDelivr, New Relic, Appcues, Microsoft (Clarity, Bing, LinkedIn), jQuery, WordPress (Web Analytics, plugins), Pinterest, UNPKG, TikTok, and Hotjar.
During the operation of corporate web applications, on average, almost 50 external services are connected (as a rule, third-party scripts used transmit data to external hosts, for example, Google Analytics sends statistics to Google servers). Among the most popular external services connected to: Google (Analytics, Ads), Microsoft (Clarity, Bing, LinkedIn), Meta (Facebook Pixel), Hotjar, Kaspersky, Sentry, Criteo, tawk.to, OneTrust, New Relic, and PayPal.
53.9% of the traffic blocked or sent for additional verification is malicious activity, attack attempts and bot activity, 37.1% is DDoS attack traffic, and 7.2% is requests from IP addresses that have a bad reputation and are blacklisted.
Although denial-of-service DDoS attacks remain the most popular type of attack on web applications, there is an increase in the importance of attacks aimed at exploiting uncorrected vulnerabilities. Administrators are advised not to delay installing updates to fix critical vulnerabilities, as such attacks are becoming more rapid. For example, the JetBrains TeamCity product was attacked just 22 minutes after the prototype exploit for the uncorrected vulnerability CVE-2024-27198, which allows access without authentication, was made publicly available. The most active attacks include attempts to exploit vulnerabilities in Apache Struts (CVE-2023-50164), Apache Spark (CVE-2022-33891), Adobe Coldfusion (CVE-2023-29298, CVE-2023-38203, CVE-2023-26360) and MobileIron (CVE-2023-35082).
31.2% of all traffic is associated with bot activity, while only 7% of requests from bots are generated by known legitimate services, such as search engines, the remaining 93% are classified as unknown bots that can potentially perform malicious actions.
Among the trends, there is also an increase in traffic related to accessing the Web API, which returns responses in JSON or XML formats. The share of such requests reached 60% of all dynamically generated (non-cached) traffic. According to Cloudflare, a third of API requests are related to accessing" shadow " API handlers, which are not considered by organizations (they are not explicitly presented as publicly available Web APIs) and are not properly protected.
On average, Cloudflare's corporate clients use 47 third-party scripts in their web services. The most popular providers of third-party scripts are Google (Tag Manager, Analytics, Ads, Translate, reCAPTCHA, YouTube), Meta (Facebook Pixel, Instagram), Cloudflare (Web Analytics), jsDelivr, New Relic, Appcues, Microsoft (Clarity, Bing, LinkedIn), jQuery, WordPress (Web Analytics, plugins), Pinterest, UNPKG, TikTok, and Hotjar.
During the operation of corporate web applications, on average, almost 50 external services are connected (as a rule, third-party scripts used transmit data to external hosts, for example, Google Analytics sends statistics to Google servers). Among the most popular external services connected to: Google (Analytics, Ads), Microsoft (Clarity, Bing, LinkedIn), Meta (Facebook Pixel), Hotjar, Kaspersky, Sentry, Criteo, tawk.to, OneTrust, New Relic, and PayPal.
