Cloudflare 2026 DDoS Report: 22% of attacks now target the API plane
Strategische Zusammenfassung
Cloudflare Radar's 2026 Q1 DDoS report shows API-plane attacks have grown to 22% of mitigated incidents — a 4× YoY jump. Authenticated low-rate floods bypass naive rate-limiting and stress backend logic. The most-targeted endpoints are GraphQL introspection, misconfigured admin APIs, and password-reset endpoints used for credential stuffing. Defenders need authenticated-aware rate limits and bot management applied to API routes, not just pages.
Key Findings
- API-targeted L7 DDoS grew to 22% of mitigated attacks — 4× YoY increase.
- Authenticated low-rate floods evade IP-only rate limits and target backend logic.
- GraphQL introspection + misconfigured admin APIs are the most-hit endpoints.
- HTTP/2 Rapid Reset successors continue to drive protocol-level abuse upward.
- Defenders should apply bot management + auth-aware rate limits to API routes.
Volltext
The first quarter of 2026 saw a marked shift in DDoS attack composition. Volumetric L3/L4 attacks remain numerically dominant, but API-targeted L7 attacks have grown to 22% of mitigated incidents — a 4× increase year-over-year. The attacks favor authenticated, low-rate floods designed to evade simple rate-limiting and stress backend logic.
The most-targeted endpoint patterns are GraphQL introspection queries, undocumented admin APIs exposed by misconfigured ingress controllers, and password-reset endpoints used for credential stuffing under cover of legitimate traffic.
Cloudflare's data also shows a meaningful uptick in HTTP/2 Rapid Reset variant attacks (CVE-2023-44487 successors) using protocol-level abuse rather than amplification.
For defenders, the takeaways are clear: rate-limiting at the L7 edge must understand authenticated calls, not just IP-level traffic; bot-management policies should be applied to API routes, not just user-facing pages; and any GraphQL endpoint should have introspection disabled in production.