White paper: The state of application security in 2023
It’s a line we’ve all heard before: cyber attacks are larger, more frequent and more sophisticated than ever. And in 2023, the numbers continue to back up each of these points:
- Attacks are larger. In February, Cloudflare mitigated a 71 million request-per-second HTTP DDOS attack – the largest known attack of its kind to date, more than 54% higher than the previous reported record of 46 million RPS in June 2022. To put this into perspective, Google fields approximately 100 000 requests per second across all platforms worldwide, making the attack roughly 140x Google’s total traffic.
- Attacks are more frequent. Application-layer attacks have spiked by as much as 80% in 2023. One reason behind this jump: attackers are leveraging existing internet infrastructure to amplify their attacks, making them both easier and cheaper to carry out.
- Attacks are more sophisticated. As organisations continue to refine their security strategies, attackers evolve their tactics to get around even the most robust defences. One way of doing that is via brute force attempts, which can aid attackers in gaining access to user accounts and sensitive data. From 2022 to 2023, Cloudflare observed matches for HTTP requests with leaked credentials at a rate of 12 000+ per minute.
In the report below, we will dive into the current and emerging attack trends aimed at applications and APIs in 2023. These observations are powered by the Cloudflare global network, which handles an average of 45+ million HTTP RPS – giving us an unprecedented view into traffic patterns, attacker behaviours and more.