Back to blog

Follow and Subscribe

Network Effect Threat Report: Uncovering the power of collective threat intelligence

Fastly Security Research Team

Fastly Security Research Team, Fastly

Simran Khalsa

Staff Security Researcher

Arun Kumar

Senior Security Researcher, Fastly

Matthew Mathur

Senior Security Researcher, Fastly

Xavier Stevens

Staff Security Researcher, Fastly

We’re excited to announce the availability of the Network Effect Threat Report, Fastly’s threat intelligence report that offers insights based on unique data from Fastly’s Next-Gen WAF from Q2 2023 (April 1, 2023 to June 30, 2023). The report looks at traffic originating from IP addresses tagged by Fastly's Network Learning Exchange (NLX), our collective threat intelligence feed that anonymously shares attack source IP addresses across all Next-Gen WAF customer networks.

NGWAF’s reach and infrastructure-agnostic deployment options uniquely position us to analyze global attack trends across a wide variety of industries and applications. We protect over 90,000 apps and APIs and inspect 4.1 trillion requests a month*, allowing Fastly to flag the IP addresses from which malicious requests are sent and add them to our collective threat intelligence feed – NLX. The combination of volume, reach, and accuracy powers NLX to preemptively protect our customers with high-confidence attack data. 

The report dives into a number of observations and attack trends, with recommended actions for our NGWAF customers. Before diving into the report, here are five key takeaways that we found most significant in our research: 

  • Multi-customer attacks: 69% of IPs tagged by NLX targeted multiple customers, and 64% targeted multiple industries.

  • Targeted Industries: The High Tech Industry was targeted the most, accounting for 46% of attack traffic tagged by NLX.

  • Trending Techniques: While SQL injection is a popular attack choice (28%), attackers are favoring Traversal techniques, which make up nearly one-third (32%) of attacks analyzed.

  • Out-of-Band (OOB) Callbacks: Callback server domains are prevalent throughout NLX data, particularly in Log4j JNDI lookups, OS command injection, and XSS attacks. 46% of requests were utilizing known out-of-band application security testing (OAST) domains (e.g. interact.sh).

  • Autonomous Systems (AS): Cloud Hosting providers are the primary sources of attack traffic. They are useful for conducting large-scale attacks, providing adversaries with cost-efficient computing resources and the ability to distribute their traffic, offering a layer of anonymity.

Over the past few years, Fastly’s Security Research Team have published blogs, CVE notices, new Next-Gen WAF (NGWAF) rules, open source tools, tutorials, and other research that helps inform our customers of the latest security developments. We’re continuing this momentum by publishing deeper, more comprehensive reports on attack trends we see come through the NGWAF.

We’re excited to share this report with you and see how our findings correlate to what you’ve seen on your own apps and APIs. To dive deeper into the attack observations and analysis, read the full report. If you have any questions or feedback for the Security Research team, find us on Fastly’s Twitter or LinkedIn.  


* Trailing 6 month average as of June 30, 2023