The hosting company of a client has shut down their Windows server twice in the past week because the server seems to be sending out massive amounts of outbound encrypted UDP DNS traffic.
I have now configured the firewall to block any incoming/outgoing traffic by default and only allowed the necessary ports. This should prevent the outgoing UDP traffic, but I still don't understand the underlying issue.
There is only a webserver (ASP.net website) and FTP server running on this server and so far I couldn't find any issues in the web application.
What are the attackers doing, are they DDoSing other servers? And how are they doing this, how to fix the root of this problem?