I was prompted to write this article because of a customers system that was being used as part of a DDOS attack. In this case a clients system was part of a DNS reflection attack (https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html). The client had a cluster of servers setup with bind installed with the configuration which accepts and responds to all requests that it gets. The boxes were hosted on AWS. As soon as AWS contacted our client they came to us and it was fairly easy to show where their engineer messed up. Port 53 should have only allowed established traffic.