The group responsible for the safety of the Akamai content delivery network, revealed an additional vector Attacks on the Cups-BrowSed process, which can be exploited in a code system. This new method involves sending unrestrained requests to the CUPS-BrowSed process at 631 ports, allowing for data to be sent to another host at a size exceeding the initial request by 600 times. In comparison, other amplification factors include Memcached at 10-50 thousand times, NTP at 556 times, DNS at 28-54 times, RIPV2 at 21 times, and SNMPV2 at 6 times.
This discovery highlights how Cups-BrowSe systems can be utilized as traffic amplifiers in DDOS attacks. By utilizing this method, requests from computers involved in the DDOS attack are directed through an intermediate traffic amplifier rather than directly to the victim system. More than 198 thousand vulnerable CUPS systems were identified during network scans, with 34% (58 thousand systems) deemed suitable for participation in DDOS attacks.
Unlike other traffic amplification methods that require the sending of UDP packets with a spoofed address of the victim, the use of CUPS-BrowSed eliminates this need. The service has the capability to download a PPD file from a designated server in response to an unauthorized external request, augmenting the traffic flow.
When sending a request to load a PPD file to Cups-BrowSed, additional data can be attached to the “IPP URI” value, potentially reaching up to 989 bytes. This process leads to repeated requests being made to the attacked system, ultimately resulting in an amplification of traffic up to 600 times in some scenarios.
A recent event showcasing the importance of addressing DDOS attacks is the reflection Cloudflare of a record DDOS attack. During this attack, a staggering 3.8 terabits per second (2.14 billion packets per second) were directed at the victim’s system. The attackers utilized compromised ASUS and Mikrotik routers, DVR devices, and Web servers hacked through various vulnerabilities