25 Jan, 2021

Quttera WAF Statistics for 2020

A Web Application Firewall examines decrypted requests to your website and looks for signs of hostile intent, keeping it safe from cyberattacks. These statistics illustrate the effectiveness of the Quttera WAF in 2020.
In 2020, Quttera's Web Application Firewall blocked 3,364,879 attacks. The total number of requests handled was 220,629,030. That's to say, about one HTTP request in 70 was a cyber-attack blocked by the Quttera WAF. Since 2018, when we launched the WAF, the number of requests handled per month has gone up by a factor of 2.29, and the number blocked per month has increased by a factor of 2.56.

The biggest spike was in March, coinciding with the shift of many businesses to new working patterns as COVID-19 reached pandemic proportions. Online criminals take advantage of anything that disrupts IT departments and weakens normal cybersecurity.
The Numbers
Our WAF statistics break down the total into six categories. Many attacks fit into more than one, but each is assigned to just one category.
  • Generic attack: 2,894,992. Attacks identified by a malicious string, path, or IP address that doesn't fall under the other categories make up this large group.
  • SQL injection: 192,389. It uses form fields or URL parameters to pass SQL commands where the backend is expecting clean data. It allows running arbitrary database commands if it gets through.
  • Shell code: 50,633. This attack takes many forms. The general idea is the introduction of an executable script that runs on the server with its privileges. If the attacker can induce the server to run it, it can do anything that the account running it can do.Directory traversal
  • Other injection: 19,541. These attacks insert commands or JavaScript where the backend is expecting ordinary data. The idea is similar to SQL injection.
  • Cross-site scripting (XSS): 4,932. XSS gets a Web page to execute malicious JavaScript in the browser. It can steal cookies or intercept form submissions.
  • Vulnerability exploit: 2,392. These are attacks on known weaknesses in software that don't fit in the other categories. They're usually the result of running an old, buggy version of the software.
Geographic Sources
The top six countries for number of attacks originated are as follows:

  • United States: 1,388,929
  • Germany: 805,727
  • France: 320,862
  • Canada: 173,656
  • Russian Federation: 76,115
  • Australia: 71,824
These numbers don't necessarily reflect the location of the criminals behind the attacks so much as the availability of machines they can grab control of. Cybercriminals hide behind as many layers of concealment as they can. A machine that launches an attack could belong to a legitimate business that doesn't know its computers are being used in a botnet.

A country with a strong Internet presence offers many opportunities for bad actors to buy, lease, or subvert computing systems for their dishonest purposes. Countries that have strong restrictions on international Internet access, such as China, offer fewer opportunities as jumping-off points, even if they have an extensive infrastructure.
Breaking Down the Year
The number of attacks blocked by the Quttera WAF by month in 2020 show some interesting trends.

  • January: 344,586
  • February: 405,709
  • March: 457,543
  • April: 338,711
  • May: 284,594
  • June: 327,117
  • July: 153,557
  • August: 190,082
  • September: 327,634
  • October: 164,456
  • November: 182,551
  • December: 188,339
Significantly more attacks happened in the first half of the year. In the larger context, they represent a jump in the first half rather than a decline in the second half. Studies have shown there were more attacks in January through June than in all of 2019. This was largely due to the chaos caused by the pandemic, which data thieves saw as a big opportunity. What has happened since then represents a settling down to the usual levels but not a long-term decline. It isn't time to feel complacent.
The Thinking Behind Attacks on Websites
Most attacks on websites are based on standardized techniques. An automated system checks one IP address or domain after another, without much concern for what the site is. It's a game of percentages. Some of the sites it probes will be vulnerable to some of its techniques. Their software hasn't been updated in a while, or they use plugins with known weaknesses, or the site isn't configured to be secure. Sometimes the intruders use zero-day exploits, taking advantage of newly discovered weaknesses for which no fix is available.

Once they get a foothold, criminals have many ways to take advantage of it. They may redirect traffic from your site to theirs. They may insert unauthorized ads. Users' passwords and financial information could be stolen. Ransomware could wipe out your files. Any site they can compromise is an opportunity, even if it's not a huge or glamorous one. Every site needs protection against them.

A site that is infected with dangerous content or that redirects to a known malicious site will frighten visitors away. Search engines will lower its rank or blacklist it. This means lost business and a damaged reputation. A site with strong security escapes most of these hazards.
How a WAF Protects Your Site
If you have a website, hostile forces are probing it every hour of every day for weaknesses. A good web application firewall stops the large majority of those attempts.

Ordinary firewalls limit access by IP address and hide services that shouldn't be public. However, they can't do anything about hostile traffic that's designed to find weaknesses in a Web server or CMS. They can't even see most of the traffic, since it's encrypted if you have a secure HTTPS site. A Web Application Firewall examines decrypted requests to your website and looks for signs of hostile intent.

Some of these signs are based on patterns in the request, such as SQL commands in form fields. Some incorporate threat intelligence about known attack methods. Others use behavioral analysis, finding usage patterns that fall outside expected user activity. New ways of breaking website security keep appearing, and a WAF needs regular updates to keep up with them.

The Quttera Cloud-Based Web Application Firewall uses both signatures and behavioral indicators to catch a broad range of intrusion attempts. The latest threat intelligence keeps it up to date. It can even catch types of attacks that haven't been seen before. This means less downtime, less of a chance of damage, and a more reliable experience for your users.