The attackers behind the distributed denial-of-service attack last month on the Internet's DNS root servers may have been doing a little botnet sales pitch, according to a newly-released postmortem report on the attack.

The so-called "factsheet" document, issued yesterday by the Internet Corporation for Assigned Names and Numbers (ICANN), didn't draw any final conclusions on the reasons or motivation for the attack, but it did provide some theories, and it shed new light on a few details about the attack.

In the wake of the Feb. 6 distributed denial of service attack that temporarily crippled, but did not disable, two of the Internet's 13 Domain Name System root servers, security experts said it was probably a test-run for a larger and more disruptive attack.

The ICANN document says one explanation for DNS root server attacks is to "act as an advertisement for a particular botnet."

Botnet marketing is an interesting theory for last month's attack, says David Ulevitch, CEO of OpenDNS and EveryDNS, both DNS services. "They mentioned that it might be someone trying to show the 'strength' of their botnet-for-hire," Ulevitch says. "Not a test-run for a larger attack against the roots [themselves], but a way for an attacker to show the disruptive potential of their botnet to someone who might purchase it from them to cause harm against other less fortified victims."

Ulevitch says another attack on the DNS root servers is likely, but it shouldn't "destabilize" DNS root operations.

The attack proved how effective the "anycast" technique really is in protecting the servers from DDOS, according to the report. Anycast streams DNS queries across multiple servers so they don't get lost or overwhelm one server. And the five DNS root servers that were not using anycast at the time of the attack likely will do so soon, the ICANN paper said.

The paper -- which ICANN penned for a non-technical audience to educate end users on the attack -- also provided a glimpse at the actual volume of the attack. In some cases, Internet engineers measured 1-Gbit/s of data hitting some root servers -- the equivalent of 13,000 emails per second, or over 1.5 million emails in two minutes.

It began around 7 a.m. Eastern and lasted for two and a half hours, according to the report. A second wave of DDOS came three and half hours later and lasted five hours. The report confirmed earlier assessments that the attack had "limited impact" on Internet users.

The paper also echoed earlier reports that the attack traffic originated from the Asia-Pacific region. So far, the data is inconclusive as to whether it definitely was from bot-infected machines in South Korea, as initial investigations had indicated.

ICANN says the attack could have been from multiple countries. It's hard to tell, given the possibility of spoofed IP addresses, and the possibility that the attack could have been triggered from elsewhere in the world via zombies.

The two hardest hit banks of servers were the "G" root server in Ohio, run by the Department of Defense, and ICANN's "I" root server in Calif., according to the report. These were the only two of the six targeted that had not yet implemented anycast technology. Three additional root servers that were spared in the attack also have yet to deploy anycast, the report said.

ICANN says not having all the servers anycast-enabled was a "conscious decision" by the root operators, amid concerns of a single point of failure situation. "There were some concerns that there might be a security risk in allowing a lot of different servers to appear as if they were coming from the same place," the paper said. The plan was for a few root servers to test it out first and iron out any glitches.

To help mitigate future attacks, ICANN recommended last year -- and reiterated in the paper -- that DNS server operators verify source IP addresses, and that ISPs should only accept DNS queries from "trusted sources (i.e. their own customers)." ICANN acknowledged that the recommendations had been "met with mixed success."

In addition, ICANN called for educating consumers on botnet infection, and ensuring that consumers change their home router's default passwords.

But whether the recommendations for thwarting future DNS infrastructure attacks will fall on deaf ears is unclear. "Getting ISPs to implement source filtering and turning of open-recursive lookups has been an ongoing battle for many years -- and one with only limited success," says Craig Labovitz, director of engineering at Arbor Networks. "And while reflective attacks provide an easy way for zombies to attack [and] multiply firepower, it is not clear reflection played a significant role in the most recent attacks."

Labovitz says he agrees with the ICANN report that massively replicating servers and anycast is the best plan for now.

— Kelly Jackson Higgins, Senior Editor, Dark Reading