This shows IP addresses making repeated requests for the same FQDN over and over again (i.e. many times per minute).
There are two reasons to want to do this:
To cause a Denial of Service against the IP address shown in the Reverse DNS column (because the FROM address in a DNS query is easily spoofed)
To attempt to overload the DNS server by making repeated requests
In both cases WinBIND protects against this by automatically adding a DENY rule to the Windows Firewall within a few minutes of detection. WinBIND removes the offending client from the firewall rule after a certain period of time, so the Occurrences column shows the number of times this IP address found itself on the blacklist again.
IP Address
Occurrences
Reverse DNS
184.90.132.21
31
184-090-132-021.res.spectrum.com
193.151.14.84
11
84-14.alba.dp.ua
97.102.67.187
8
097-102-067-187.res.spectrum.com
172.92.217.153
7
-
67.171.250.74
6
c-67-171-250-74.hsd1.wa.comcast.net
Bad Client Requests
This shows the most common requests made by each Bad Client (see above).
Count
Request type
Request
Likely Reason
4,596,346
ANY
census.gov
Results in a large amount of data being returned for a very small query
7,645
ANY
sl
Results in a large amount of data being returned for a very small query
5,688
ANY
.
This is a query for the root name servers so again it results in a very large amount of data being returned in comparison to the query (a single dot)
125
A
pizzaseo.com
This is unexpected, I'm not sure what's being attempted here
62
CH (chaos) / TXT
version.bind
Attempts to get the version of BIND running on the server so that it can be attacked with known exploits
29
ANY
vtk.be
This one was unexpected, I haven't seen it before. Again it results in a large amount of data being returned in comparison to the query
Requests
These are the top 10 genuine requests once the Bad Client Requests have been removed (see table above)