Statistics

Recent Statistics

This page shows statistics for April 2021

Bad Clients

This shows IP addresses making repeated requests for the same FQDN over and over again (i.e. many times per minute).

There are two reasons to want to do this:

  • To cause a Denial of Service against the IP address shown in the Reverse DNS column (because the FROM address in a DNS query is easily spoofed)
  • To attempt to overload the DNS server by making repeated requests

In both cases WinBIND protects against this by automatically adding a DENY rule to the Windows Firewall within a few minutes of detection. WinBIND removes the offending client from the firewall rule after a certain period of time, so the Occurrences column shows the number of times this IP address found itself on the blacklist again.

IP Address

Occurrences

Reverse DNS

184.90.132.21

31

184-090-132-021.res.spectrum.com

193.151.14.84

11

84-14.alba.dp.ua

97.102.67.187

8

097-102-067-187.res.spectrum.com

172.92.217.153

7

-

67.171.250.74

6

c-67-171-250-74.hsd1.wa.comcast.net

Bad Client Requests

This shows the most common requests made by each Bad Client (see above).

Count

Request type

Request

Likely Reason

4,596,346

ANY

census.gov

Results in a large amount of data being returned for a very small query

7,645

ANY

sl

Results in a large amount of data being returned for a very small query

5,688

ANY

.

This is a query for the root name servers so again it results in a very large amount of data being returned in comparison to the query (a single dot)

125

A

pizzaseo.com

This is unexpected, I'm not sure what's being attempted here

62

CH (chaos) / TXT

version.bind

Attempts to get the version of BIND running on the server so that it can be attacked with known exploits

29

ANY

vtk.be

This one was unexpected, I haven't seen it before. Again it results in a large amount of data being returned in comparison to the query

Requests

These are the top 10 genuine requests once the Bad Client Requests have been removed (see table above)

Count

Request

34,636

236.206.188.5.in-addr.arpa (this is surprising)

32,233

www.example.com

16,448

play.google.com

16,215

a.root-servers.net

15,132

122.209.191.91.in-addr.arpa

12,745

v10.events.data.microsoft.com

11,187

aka.ms

10,281

246.206.188.5.in-addr.arpa

10,139

catalog.gamepass.com

9,574

outlook.office365.com