Statistics

Recent Statistics

This page shows statistics for March 2021

Bad Clients

This shows IP addresses making repeated requests for the same FQDN over and over again (i.e. many times per minute).

There are two reasons to want to do this:

  • To cause a Denial of Service against the IP address shown in the Reverse DNS column (because the FROM address in a DNS query is easily spoofed)
  • To attempt to overload the DNS server by making repeated requests

In both cases WinBIND protects against this by automatically adding a DENY rule to the Windows Firewall within a few minutes of detection. WinBIND removes the offending client from the firewall rule after a certain period of time, so the Occurrences column shows the number of times this IP address found itself on the blacklist again.

IP Address

Occurrences

Reverse DNS

35.200.159.104

7

104.159.200.35.gc.googleusercontent.com

101.71.138.0

5

-

74.63.237.180

5

180-237-63-74.static.reverse.lstn.net

117.27.239.0

4

-

5.63.14.144

4

5-63-14-144.faraso.org

Bad Client Requests

This shows the most common requests made by each Bad Client (see above).

Count

Request type

Request

Likely Reason

6,049,360

ANY

census.gov

Results in a large amount of data being returned for a very small query

164,339

ANY

.

This is a query for the root name servers so again it results in a very large amount of data being returned in comparison to the query (a single dot)

7,515

ANY

sl

Results in a large amount of data being returned for a very small query

1,513

A

login.live.com

Results in a large amount of data being returned for a very small query

228

CH (chaos) / TXT

version.bind

Attempts to get the version of BIND running on the server so that it can be attacked with known exploits

145

ANY

vtk.be

This one was unexpected, I haven't seen it before. Again it results in a large amount of data being returned in comparison to the query

Requests

These are the top 10 genuine requests once the Bad Client Requests have been removed (see table above)

Count

Request

48,517

www.example.com (this one is surprising!)

19,397

235.206.188.5.in-addr.arpa

16,825

play.google.com

12,282

v10.events.data.microsoft.com

12,250

246.206.188.5.in-addr.arpa

10,782

aka.ms

10,220

catalog.gamepass.com

9,955

ip-113-131.4vendata.com

8,785

outlook.office.com

6,770

profile.accounts.firefox.com