Minipot attacks decreased by nearly a half from the preceding month in August. The subnet 22.214.171.124/24 members were not so active last month, and we can see addresses from other countries emerging at the top of the table. Notable mentions go to some European countries, namely Germany and Romania, who got back into the spotlight.
Number of individual attackers had risen and minipot attacks doubled. Last month only three of the top attackers emerged from subnet 126.96.36.199/24, yet this month the majority of all attackers came from this Iraq subnet.
A DNS zone is usually served by multiple authoritative servers, which is actually recommended for the sake of redundancy. Large authoritative DNS operators even combine different name server implementations to avoid complete infrastructure outage in case of any software error. For synchronizing zone contents between authoritative servers, a DNS-specific mechanism is available, called zone transfer. It is well established and supported by all common DNS implementations. It enables both full zone transfer (AXFR) and incremental update (IXFR).
The total number incidents decreased by half. However, there are only slightly fewer than 10,000 distinct attackers on the greylist. The last month’s seemingly minor reduction may have been indicative of an ongoing decline.
The overall count for total incidents dropped by 100 million. Sounds like a lot, but given the number of attacks we recorded (1.6 billion), it is just less than 10% decrease. Still significant, but not as shocking as hundred millions sounds. The results for minipot traps have not changed significantly from previous month, it seems the attackers are pretty consistent in regards to what services interest them the most.
Moving to April, we gained almost ten thousand more unique attackers on average, according to the Greylist. To provide even more context to the events, we added yet another interesting figure — the number of total incidents recorded.
Looking at Greylist and Incidents Statistics, March data seem to be quite stable in comparison with the previous month. The total count of incidents did not drop significantly from February as the difference is about 100k incidents. The total number of incidents in February, divided by the number of days in the month and then multiplied by 30.36 (average number of days in a month) is 20,543,356.40. For March, using the same rules, we get 20,461,799.03.
A long time ago, CZ.NIC started a project called Netmetr, which was performed in cooperation with the Czech Telecommunication Office (CTU). The goal was to provide a reliable Internet connectivity benchmark that ordinary people can use to verify the parameters of their Internet connection. The cooperation went well and CTU was getting more and more interesting data about the quality of Internet connectivity in the Czech
Republic. Moreover, CTU decided to integrate the service into their systems and maintain it by themselves. They used the open-source software Netmetr and created Nettest – their own instance integrated into their environment. That unfortunately meant that the Netmetr itself lost its main purpose and it no longer made sense to keep it running.
In February, we saw about a 10% decrease in the number of unique attackers, but they were more active. Usually, we see attackers come and go, but in February, although it was fewer attackers in total, we had on average, more attackers blocked every day. This means that those attackers stayed active longer than in January.
Safer Internet Day is celebrated in more than 180 countries around the world, always on the second Tuesday of February. This year, this day fell on February 7 and was celebrated for the 20th time. The coordinator of this day for the Czech Republic is the National Safer Internet Center, managed by the CZ.NIC Association.