X
Tech

Cloudflare reports almost 7% of internet traffic is malicious

Fortunately, there are things you can do to help protect yourself and your websites.
Written by Steven Vaughan-Nichols, Senior Contributing Editor
malicious traffic concept
Craig Hastings/Getty Images

In its latest State of Application Security Report, Cloudflare paints a sobering picture of the internet's threat landscape in 2024. How sobering? Try 6.8% of internet traffic is malicious, up a percentage point from last year's study.

What's driving this increase in threats? Cloudflare, the content delivery network and security services company, thinks the rise is due to wars and elections. For example, many attacks against Western-interest websites are coming from pro-Russian hacktivist groups such as REvil, KillNet, and Anonymous Sudan.

Also: The best VPN services (and how to choose the right one for you)

What's particularly alarming is the speed at which new vulnerabilities are exploited. In one case, attackers attempted to exploit a JetBrains TeamCity DevOps authentication bypass a mere 22 minutes after the proof-of-concept code was published. That speed is faster than most organizations can read the security advisory, let alone patch their systems.

You should note there are also more zero-day exploits. For example, in 2023, Google reported 97 zero-days were exploited in the wild. When I report on security problems, I say you should patch exploits as soon as possible -- and that's truer today than ever before. Cloudflare reports attackers are going for the easiest targets first. Attackers target old, known vulnerabilities, so don't put off security patches. If you do, the attackers will come after you and get you. 

However, Distributed Denial of Service (DDoS) attacks continue to be cybercriminals' weapon of choice, making up over 37% of all mitigated traffic. The scale of these attacks is staggering. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDoS attacks. That total is nearly a third of all the DDoS attacks they mitigated the previous year.

But it's not just about the sheer volume of DDoS attacks. The sophistication of these attacks is increasing, too. Last August, Cloudflare mitigated a massive HTTP/2 Rapid Reset DDoS attack that peaked at 201 million requests per second (RPS). That number is three times bigger than any previously observed attack.

It wasn't just Cloudflare that was hit by the largest DDoS attack in its history. Google Cloud reported the same attack peaked at an astonishing 398 million RPS. So, how big is that number? According to Google, Google Cloud was slammed by more RPS in two minutes than Wikipedia saw traffic during September 2023. 

Also: The best VPN services for iPhone and iPad (yes, you need to use one)

The report also highlights the increased importance of application programming interface (API) security. With 60% of dynamic web traffic now API-related, these interfaces are a prime target for attackers. API traffic is growing twice as fast as traditional web traffic. What's worrying is that many organizations appear not to be even aware of a quarter of their API endpoints. 

Organizations that don't have a tight grip on their internet services or website APIs can't possibly protect themselves from attackers. Evidence suggests the average enterprise application now uses 47 third-party scripts and connects to nearly 50 third-party destinations. Do you know and trust these scripts and connections? You should -- each script of connection is a potential security risk. For instance, the recent Polyfill.io JavaScript incident affected over 380,000 sites.

Finally, about 38% of all HTTP requests processed by Cloudflare are classified as automated bot traffic. Some bots are good and perform a needed service, such as customer service chatbots, or are authorized search engine crawlers. However, as many as 93% of bots are potentially bad. 

Also: 6 ways to protect yourself from getting scammed online, by phone, or IRL

Usually, these bots aren't coming after you as an individual. Nevertheless, you have probably suffered from their effects without knowing. Bots, for example, are often used against consumer goods websites to grab items you might otherwise have bought. And if you've ever wondered why you couldn't get Taylor Swift tickets, it's probably not that mean girl down the street who got the ticket, but a bot wanting to snatch it to resale it at a premium price

So, what can you do about this combination of threats? If you're working at a company, you must protect your website and net services with defenses from companies such as Cloudflare and its rivals, including Akamai CDN, Fastly, and Varnish Software. All the major cloud companies offer similar security packages as part of their offerings. 

As for making your code safe, look for assistance from software supply chain security companies, such as Anchore, Codenotary, and Chainguard.

Also: The best VPNs for streaming your favorite shows and sports

In short, be proactive. Sit back and wait and your site and services will be hacked. It's not a matter of if, it's only a matter of when. 

Editorial standards