Today, I found a domestic machine with abnormal traffic. I found that the DNS Cache service running on this machine was used as an amplification lever for attacks. Let's take a look at it. When a traffic exception is detected, check the TCP session on the server first, and find some abnormal things. After the service is disabled, the traffic decreases, but it still does not return to the normal level. So listen to the package. A large film was found: 07:39:53. 271744 IP 158. XX. XX.238.53019> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 271772 IP 158. XX. XX.238.53019> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 271784 IP 158. XX. XX.238.53019> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 271792 IP 158. XX. XX.238.53019> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 274225 IP 92. XX. xx.148.20.50> XX. XX.53: 23600 + [1au] ANY? Isc.org. (36) 07:39:53. 274252 IP 92. XX. xx.148.20.50> XX. XX.53: 23600 + [1au] ANY? Isc.org. (36) 07:39:53. 274262 IP 92. XX. xx.148.20.50> XX. XX.53: 23600 + [1au] ANY? Isc.org. (36) 07:39:53. 274270 IP 92. XX. xx.148.20.50> XX. XX.53: 23600 + [1au] ANY? Isc.org. (36) 07:39:53. 291822 IP 158. XX. XX.238.13616> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 291850 IP 158. XX. XX.238.13616> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 291860 IP 158. XX. XX.238.13616> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 291869 IP 158. XX. XX.238.13616> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 291877 IP 92. XX. XX.148.56278> XX. XX.53: 23600 + [1au] ANY? Isc.org. (36) Obviously, It is abnormal to repeatedly query the same domain name from the same IP address in a short time. Why isc.org? It is unclear for the moment, but such behavior is obviously using this machine as a lever to enlarge the attack. The attacker sends a DNS query packet that is forged into the final victim as the source IP address (the size of this packet is much smaller than the response) to the victim DNS Cache Server, because these cache servers already have a copy of the domain name information found locally (these domain names exist), they will immediately respond to the final victims. In this way, attackers can use a small bandwidth to occupy the downstream bandwidth of the final victim and implement DDoS attacks. Due to DDoS attacks, it is not easy for the defender to block such attacks. However, in traditional network design, DNS Cache servers are stored in DMZ, therefore, you can directly filter out all external DNS response packets on the route to mitigate the impact of such attacks. For the administrator who runs the DNS Cache Server, access to the self-running DNS cache server should be restricted. For example, only the Intranet interface can listen to DNS query requests, the Internet interface is only used to send DNS requests and receive responses to these requests, so as to avoid being exploited by the bad guys as a DDoS lever.