Security Experts:

Automation Placing Web Applications Under Steady Stream of Attack

Data security firm Imperva, today released the results of study which revealed that web applications are probed or attacked about 27 times per hour or about once every two minutes.

As a part of the company’s ongoing Hacker Intelligence Initiative, Imperva monitored and categorized more than 10 million individual attacks across the internet, including attacks witnessed via onion router (TOR) traffic as well as attacks targeting 30 different enterprise and government web applications.


The Imperva 2011 Web Application Attack Report (WAAR) offers insight into malicious web application attack traffic from December 2010 through May 2011, and outlines the frequency, type and geography of origin of each attack.

On average, Imperva saw that companies experienced twenty-seven attacks per hour, and when websites came under automated attack they received up to 25,000 attacks per hour, or 7 attacks every second. By comparison, the United States Department of Defense, with more than 7 million systems, says its systems are “probed” by unauthorized users 250,000 times every hour, according to a statement from General Keith Alexander last year.

While it’s important to realize that traffic like this is typically with malicious intent, these numbers don’t mean each event is a direct attack on a specific target. Think of them more as reconnaissance—or hackers using tools to search around for potential targets and identifying which can be exploited. In the physical world, I like to compare it so the likes of a drone, searching for potential targets—but wouldn’t consider it an actual ‘attack’ until a missile is fired.

That being said, many attacks CAN be automated, with botnets constantly scanning and probing the Internet, seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, and distribute malware.

IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure

"Most security research focuses on vulnerabilities, and while this insight is extremely valuable, it doesn't always help businesses prioritize their security efforts," said Amichai Shulman, lead researcher and Imperva CTO. "Take a look at the OWASP Top 10, for example, RFI and Directory Traversal were not identified as top vulnerabilities, yet our research shows that these are two of the most common attacks used by hackers to steal data. It's impossible to have effective risk management without understanding which vulnerabilities are most likely to be exploited."

Automated Web Site Attack Types

According to the report, the four most prevalent Web application attacks include directory traversal (37 percent), cross site scripting (36 percent), SQL injection (23 percent) and remote file include (four percent). These attacks were often used in combination to scan for vulnerabilities and subsequently exploit found vulnerabilities.

While 61 percent of the attacks originated from bots in the United States, it was unclear from where they were controlled. Attacks from China made up almost 10 percent of attack traffic, followed by attacks originating in Sweden and France. Geography, however, is less than reliable, but filtering attacks by reputation is more so.

"The level of automation in cyber attacks continues to shock us. The sheer volume of attacks that can be carried out in such a short period of time is almost unimaginable to most businesses," said Shulman. "The way hackers have leveraged automation is one of the most significant innovations in criminal history. You can't automate car theft, or purse stealing. But you can automate data theft. Automation will be the driver that makes cyber crime exceed physical crime in terms of financial impact."

"Advances in evasion are also significant. Our data shows that it is increasingly difficult to trace attacks to specific entities or organizations," continued Shulman. "This complicates any effort to retaliate, shut down cybercriminal gangs or identify potential acts of war."

The results of this study echo much of what was identified in the Verizon 2011 Data Breach Investigations Report, which showed that large-scale breaches dropped dramatically while small attacks increased, likely due to the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets.

The full Imperva 2011 Web Application Attack Report can be downloaded here. (Direct PDF Download)

Cloud Security Reading: The Big Shift to Cloud-based Security

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.