Statistics
Recent Statistics
This page shows statistics for March 2021
Bad Clients
This shows IP addresses making repeated requests for the same FQDN over and over again (i.e. many times per minute).
There are two reasons to want to do this:
- To cause a Denial of Service against the IP address shown in the Reverse DNS column (because the FROM address in a DNS query is easily spoofed)
- To attempt to overload the DNS server by making repeated requests
In both cases WinBIND protects against this by automatically adding a DENY rule to the Windows Firewall within a few minutes of detection. WinBIND removes the offending client from the firewall rule after a certain period of time, so the Occurrences column shows the number of times this IP address found itself on the blacklist again.
IP Address | Occurrences | Reverse DNS |
|---|---|---|
35.200.159.104 | 7 | 104.159.200.35.gc.googleusercontent.com |
101.71.138.0 | 5 | - |
74.63.237.180 | 5 | 180-237-63-74.static.reverse.lstn.net |
117.27.239.0 | 4 | - |
5.63.14.144 | 4 | 5-63-14-144.faraso.org |
Bad Client Requests
This shows the most common requests made by each Bad Client (see above).
Count | Request type | Request | Likely Reason |
|---|---|---|---|
6,049,360 | ANY | census.gov | Results in a large amount of data being returned for a very small query |
164,339 | ANY | . | This is a query for the root name servers so again it results in a very large amount of data being returned in comparison to the query (a single dot) |
7,515 | ANY | sl | Results in a large amount of data being returned for a very small query |
1,513 | A | login.live.com | Results in a large amount of data being returned for a very small query |
228 | CH (chaos) / TXT | version.bind | Attempts to get the version of BIND running on the server so that it can be attacked with known exploits |
145 | ANY | vtk.be | This one was unexpected, I haven't seen it before. Again it results in a large amount of data being returned in comparison to the query |
Requests
These are the top 10 genuine requests once the Bad Client Requests have been removed (see table above)
Count | Request |
|---|---|
48,517 | www.example.com (this one is surprising!) |
19,397 | 235.206.188.5.in-addr.arpa |
16,825 | play.google.com |
12,282 | v10.events.data.microsoft.com |
12,250 | 246.206.188.5.in-addr.arpa |
10,782 | aka.ms |
10,220 | catalog.gamepass.com |
9,955 | ip-113-131.4vendata.com |
8,785 | outlook.office.com |
6,770 | profile.accounts.firefox.com |