Web sites under attack 25,000 times per hour

Some web applications are being attacked as often as 25,000 times in one hour, as organised criminal gangs take advantage of automated, botnet-based technology to compromise systems, according to the latest research from database and app security firm Imperva.

The vendor's latest biannual Web Application Attack Report monitored over 10 million individual attacks targeted at 30 top web applications over the past six months.

The research found that web sites were attacked around 27 times an hour on average, some being hit 25,000 an hour or seven a second during heavy periods.

The four most common attacks were directory traversal (37 per cent), cross-site scripting (36 per cent), SQL injection (23 per cent), and remote file inclusion (four per cent), and many attacks used more than one of these methods.

Imperva chief technology officer Amichai Shulman warned that too many companies focus their efforts on anti-virus and network defences at the expense of web application layer security.

"The attackers have huge motivation to go after that layer because it's the closest they can get to the business logic," he told V3.

"It's designed to be accessible from the internet but the attackers are abusing this accessibility to get quick access via fraudulent activity. There are a lot of ongoing app layer hacks regardless of the size of the app."

Despite the high-profile hacking campaigns conducted by activist groups such as LulzSec and Anonymous, it is the financially motivated criminal underworld which is still responsible for most attacks, using systems powered by botnets to launch automated scripts.

"Their modus operandi is to work the big numbers. They obtain a huge list of hundreds of thousands of potential targets and then launch campaigns across them all at the same time. Even if they penetrate just a small percentage, the absolute numbers are still large," said Shulman.

Aside from improving coding practices and running vulnerability scans on web applications, Shulman recommended investing in technology to identify and block such automated attacks "before they get into the code".

"The attackers are getting better at automating their activities and finding targets," he explained.

"As much as coding practice is improving, when you have large apps with large and dynamic attack surfaces, you're bound to have a vulnerability somewhere and if they have enough resources and time the attacker is bound to find that vulnerability."

Shulman also urged chief security officers to get more involved with the business, so that they are able to understand and correlate technical and business threats.

He added that upper management needs to be more involved with information security "to understand the business risk that technical issues impose".