This page shows statistics for the previous month (May 2021)
Bad Clients
This shows IP addresses making repeated requests for the same FQDN over and over again (i.e. many times per minute).
There are two reasons to want to do this:
To cause a Denial of Service against the IP address shown in the Reverse DNS column (because the FROM address in a DNS query is easily spoofed)
To attempt to overload the DNS server by making repeated requests
In both cases WinBIND protects against this by automatically adding a DENY rule to the Windows Firewall within a few minutes of detection. WinBIND removes the offending client from the firewall rule after a certain period of time, so the Occurrences column shows the number of times this IP address found itself on the blacklist again.
IP Address
Occurrences
Reverse DNS
117.27.239.45
7
-
187.155.224.184
7
dsl-187-155-224-184-dyn.prod-infinitum.com.mx
5.252.35.165
7
-
88.156.190.183
7
088156190183.wejherowo.vectranet.pl
94.158.148.33
7
527.854.soborka.net
Bad Client Requests
This shows the most common requests made by each Bad Client (see above).
Count
Request type
Request
Likely Reason
4,146,914
ANY
census.gov
Results in a large amount of data being returned for a very small query
22,513
ANY
.
This is a query for the root name servers so again it results in a very large amount of data being returned in comparison to the query (a single dot)
22,317
ANY
fb.com
This redirects to facebook.com so I'm not sure of the purpose of this one. The query result is not particularly large so I'm not sure what is trying to be achieved here.
8.323
A
sl
Results in a large amount of data being returned for a very small query
36
CH (chaos) / TXT
version.bind
Attempts to get the version of BIND running on the server so that it can be attacked with known exploits
Requests
These are the top 10 genuine requests once the Bad Client Requests have been removed (see table above)