1 Jun, 2020

Q1 2020 Quttera Web Application Firewall Statistics

The Quttera Web Application Firewall guards your site against many kinds of cyberattacks, including ones that haven't been seen yet. Here's a look at Quttera's Q1 2020 WAF statistics.
In the first quarter of 2020, the Quttera Web Application Firewall (WAF) processed 52,769,451 requests to its customers' Web servers. Out of them, it blocked 1,207,838 attacks. This is a 95% increase over the number blocked in the second half of 2018, a period that was twice as long. Our customer base has grown, and so has the rate of the attacks.
The WAF is part of Quttera's ThreatSign! anti-malware platform. In addition to the WAF, ThreatSign! includes monitoring and scanning of websites, blacklist checking, notifications, and comprehensive reporting of security statistics.
Automated Cyber Attacks
The overwhelming majority of cyber attacks are automated rather than individually crafted. A large proportion aren't even aimed at any particular target. They just go down lists of IP addresses and check each one for weaknesses. If they find what looks like a WordPress site, they'll launch a standard suite of WordPress attacks. If a site's response to a query suggests that a weakness is present, they'll exploit it. Software to carry out these attacks is sold on the black market.

This means that every site is a target. Whether it belongs to a part-time home business or a global corporation, automated systems are trying to find a way into it. Every business needs a versatile, multi-layered defense to keep those attempts from succeeding. New attacks constantly appear, and security systems need to stay up to date to stop them.

Quttera's Web Application Firewall uses a ruleset that is constantly updated to deal with the latest threats. Customers can add domain-specific rules and whitelists to fit their security needs.
Types of Attacks Detected
The Quttera WAF identifies six categories of attacks. The numbers detected in the first quarter of 2020 were:
  • Generic attack: 1,176,224
  • Shell code: 19,188
  • SQL injection: 9,353
  • Injection: 2,607
  • Cross-site scripting: 255
  • Vulnerability exploit: 211
Generic attacks aren't a separate type of attack but rather are ones identified by characteristics such as malicious strings or paths or known hostile IP addresses. They lack subtlety, but they can do serious damage if not blocked.

Shell code creates or takes control of a trusted application that can run any commands. The term comes from the operating system shells which let users or scripts run commands, but malware shells take many forms. Another term for shell is "backdoor." An attacker can launch a shell by breaking an account's security, tricking a user into installing malware, or taking advantage of a vulnerability. Malware shells are versatile, and some are persistent, continuing to steal information for weeks or months.

SQL injection relies on buggy code which communicates with a database. Relational databases get requests in the SQL language, which Web applications generate on the fly. A common trick is to manipulate form data with SQL commands and mismatched quotes. If a Web application fails to detect this trick, it may put the unauthorized command into the SQL stream, allowing theft or alteration of data.

Other types of injection use similar tricks to introduce headers, commands, or JavaScript. CRLF injection relies on the convention of using a line break (carriage return + line feed) to separate commands and data fields. It might allow the execution of an intruder-specified command or modify a file's headers to change its behavior. This is also known as response splitting. HTML injection can introduce scripts, links, and display elements into a page if the server doesn't filter them out from user input.

Cross-site scripting (XSS) uses various techniques to get a page to execute JavaScript from an outside source. It can use HTML injection or infiltrate a trusted JavaScript source. XSS can steal cookies or redirect users to another site. The rogue JavaScript runs on the browser, but in most cases, it won't be obvious to a user without special tools.

Vulnerability exploits target known weaknesses in software. Repositories such as the National Vulnerability Database list known issues in published software where patches are available. They alert network owners to problems that need fixing, but criminals are equally aware of them. Keeping software up to date avoids this risk, but businesses can't always update their systems regularly. The small number in the list doesn't mean this attack is rare, but rather than the Web Application Firewall catches most vulnerability exploits by other methods and classifies them accordingly.
Geographic Sources of Attacks
Attacks on servers anywhere on the Internet can come from anywhere in the world. Our list of attacks by country is based on the geolocation of their IP addresses. The source isn't necessarily the same as the attacker's home country. Criminals and state actors prefer to hide their tracks, taking advantage of servers that they control remotely. Botnets, large collections of machines that have secretly been compromised, give these people global reach.

The prevalence of attacks from a given country generally indicates not a large hacker presence there, but a large number of machines available to exploit, especially ones that have poor security or out-of-date operating systems. Blocking the IP addresses of distant countries with bad reputations provides little protection by itself. The top six countries by number of attacks are:
  • Germany: 446,969
  • United States: 246,040
  • France: 240,934
  • Canada: 83,201
  • Czech Republic: 32,546
  • India: 29,083
A Web Application Firewall Protects Your Site
Unlike a traditional firewall, a web application firewall recognizes and neutralizes application-specific threats. Traditional firewalls can recognize only generic attack types, IP addresses, and ports. As automated penetration techniques have grown more devious, the need for a more sophisticated defense has constantly grown. The Quttera WAF guards your site against many kinds of attacks, including ones that haven't been seen yet.

An infected website isn't always obvious. The malware may do its dirty work without interfering with normal operations. The first warning you get maybe when visitors get alerts in their browsers. If your site is blacklisted because of a malware infection, those alerts will scare away visitors, and your traffic will drop alarmingly. To protect your business, you need to block infection attempts and quickly catch any that get through.

Using the WAF and the other components of Quttera ThreatSign! gives your site in-depth protection. Contact us to learn how your network can enjoy the benefits of improved security.