Do not envy the life of a Web app. It’s a brutal, public existence filled with attacks from all sides. In fact, a new report by Imperva sheds some light on this sad life, showing that a typical Web app is attacked once every three days and some are targeted as many as 2,700 times in a given year.
Web apps are lots of fun for attackers because they’re publicly accessible and take all kinds of interesting inputs. Attackers can take their time, throwing whatever data they choose at a given app and then see what happens to break. To determine what this attack landscape looks like, Imperva monitored 50 Web applications for six months, looking at the kinds of attacks each one endured and pulling out trends.
One of the more interesting findings was that the typical Web app can expect to be attacked every third day and that some of the applications are under attack as often as 292 days per year. There are likely to be multiple attack incidents on any given day, as well. The average attack that Imperva observed lasted a little less than eight minutes and the longest went on for about 80 minutes.
“However, regardless of attack frequency periods, compared to the peaceful periods, the success of the whole mission depends
on the defense performance when under attack. Therefore, the defense solutions and procedures should be designed to
accommodate attack bursts,” the Imperva report says.
“While, typically, an application will see only some serious attack action on 59 days in 6 months (roughly on every third day on
average), and the attack period may last only a few minutes. The intensity of the attack will be overwhelming if the defense side
was prepared for the average case (27 or 18 attacks per hour as discovered on our previous reports) as the attack will consist of
hundreds or even thousands of individual attack requests.”
Unsurprisingly, the report found that SQL injection was the most common attack type. As simple as it is and as old as it is, SQL injection still works nicely, thanks to the widespread nature of the vulnerabilities the attack exploits. Oddly, however, Imperva found that while the vast majority of the IP addresses involved in attacks against the monitored Web apps were in the United States, most of the SQL injection attack traffic actually came from France.
Looking at historical attack data to try and predict when attacks may come in the future can be difficult, the report found. Much of the attack traffic the company observed flowing into the 50 Web apps it was monitoring came in unpredictable bursts. One of the apps, which Imperva monitored for a full year rather than six months, experienced short spikes in attack traffic every few weeks until a major burst in January 2012, which was seven or eight times the normal volume. The number of attacks then subsided and went back to its normal pattern of occasional spikes.
“Don’t be fooled by relative average calm of the battlefield. As you typically would witness a ‘battle day’ only on one day out
of three, and it typically would last just a few minutes. However the way your security solution and process would perform
on these minutes really determines your overall security performance. So, base your estimations for the security measures
you need on the worst-case scenario and not on the average case,” Imperva said in the report.