Volume of Dangerous Cross-Site Request Forgery Attacks Up 132 Percent Since Q1 2012, FireHost Reports
April 2013 by FireHost
FireHost has announced its Q1 2013 web application attack statistics, detailing the type and number of the most dangerous cyberattacks blocked by the firewalls that protect its servers in the U.S. and Europe between January and March 2013.
Compared with Q1 2012, the volume of Cross-Site Request Forgery (CSRF) attacks is up 132 percent at the end of Q1 2013. The CSRF attack measurement is part of FireHost’s quarterly ‘Superfecta’ report. The Superfecta is a group of four cyberattacks* that pose the most serious threat to businesses and comprises of CSRF, Cross-site Scripting (XSS), SQL Injection and Directory Traversal. After CSRF, SQL Injection has seen the second most significant increase in frequency, rising 87 percent when comparing Q1 2012 to Q1 2013.
Other key statistics for the Q1 2013 Superfecta include:
Total number of all attack types blocked by FireHost in Q1 2013: 29,713,520 (This includes attacks blocked by FireHost’s new IP Reputation Management “IPRM” filters)
Total number of Superfecta attacks blocked in Q1 2013: 3,410,212 (up from 2,861,085 in Q1 2012)
Overall, Cross-Site scripting (XSS) was the most prevalent Superfecta attack type in Q1 2013 – with more than 1.2M attacks being blocked
“The Superfecta represents the most dangerous type of cyberattack traffic, but these are by no means advanced or difficult attacks for cybercriminals to launch,” said Chris Hinkley, CISSP – a Senior Security Engineer at FireHost. “For example, cross-site request forgery attacks and cross site scripting attacks are extremely automated and require very little knowledge to implement.
“It only makes sense that CSRF attacks would increase due to more automated attacks in the arsenals of cybercriminals. SQL Injection attacks represent a smaller portion of the attack traffic we block for our customers, as these attacks require more expertise, but when they’re successful, they are very effective. Many will remember or have even been affected by successful SQL Injection attacks on a number of global brands over the past few years. What these numbers really say is malicious web traffic is very diverse and businesses should ensure that they are doing as much as possible to mitigate it.”
For the first time, FireHost has also reported on its IP Reputation Management (IPRM) statistics. This involves preventing traffic from known un-trusted sources (such as the Russian Business Network or Chinese activist group) from even attempting to access FireHost web servers.
IPRM was put into service by FireHost in Q4 2012 and sits in front of server firewalls.
“IPRM does not have a significant impact on reducing Superfecta attacks overall, as they come from trusted sources and that is why they pose such a serious threat to security,” continues Hinkley. “Our layered Intelligent Security Model will still block any attacks that get through IPRM, but it is designed primarily to reduce the impact on server resources. What’s interesting is that where it made the most significant improvements was in reducing the number of other types of bad traffic, like denial of service attacks, command and control bots and other malware based attacks.”
Liam Eagle, analyst, Internet infrastructure at 451 Research, agreed.
“Malicious website traffic has several harmful results – along with the obvious security concerns, there is a performance impact,” says Eagle. “An increase in the volume of traffic to a site demands an increase in resources like memory, processing and bandwidth. Preventing unwanted traffic from reaching a website or hosted environment has a direct and positive impact on infrastructure performance. It’s not a coincidence that security and performance are two key criteria by which customers evaluate hosting services.”
Comparison of Superfecta attacks between Q1 2012 and Q1 2013:
Cross-site Scripting (XSS) – Cross-site scripting involves the insertion of malicious code into webpages in order to manipulate website visitors. It is used by attackers for a range of reasons, from simply interfering with websites to launching phishing attacks against web users.
Directory Traversal – A Path Traversal attack aims to access files and directories that are stored outside the web root folder.
Cross-Site Request Forgery (CSRF) – CSRF is an attack that forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
SQL Injection – SQL Injection involves the entering of malicious commands into URLs and text fields on websites that happen to be vulnerable, usually in an attempt to steal the contents of databases storing valuable data such as credit card details or usernames and passwords. The attack vector has been associated with many high profile data breaches.