Websites are attacked about 27 times an hour or once every two minutes on average, peaking at 25,000 attacks a minute or seven a second, according to research.
The study by security firm Imperva shows cyber criminals are increasingly using automated attacks launched from captured "botnet" computers.
The Web Application Attack Report is based on a study of attacks against the top 30 web applications based on more than 10 million individual attacks from December 2010 to May 2011.
The attacks observed in the six month period were mainly made up of four attack types.
Topping the list is a little known type of attack called directory traversal (37%), followed by cross-site scripting (36%), SQL injection (23%) and remote file inclusion (4%).
These attacks were often used in combination to scan for vulnerabilities and subsequently exploit any vulnerabilities found, the report says.
"Advances in evasion are significant. Our data shows that it is increasingly difficult to trace attacks to specific entities or organisations," said Amichai Shulman, lead researcher and chief technology officer at Imperva.
This complicates any effort to retaliate, shut down cybercriminal gangs or identify potential acts of war, he said.
The Imperva research team recommends that organisations should deploy security solutions that deter automated attacks because having the capacity to quickly identify thousands of individual attacks as one attack, enables organisations to prioritise resources more efficiently and can help in the detection of previously unknown attack vectors - so-called zero days - included in the attack.
The team also says IT security teams need to be aware of known vulnerabilities and have an up-to-date list to know what can and will be exploited by attackers; they should acquire intelligence on malicious sources and apply it in real time; and they should take part in a security community and share data on attacks.