The internet's root servers were not the target of a distributed denial-of-service (DDoS) attack in December which for a short time took out four of the 13 pillars of the global network.

That's according to two security researchers who will present their findings at a conference in Argentina on Friday. Instead, they conclude the likely target of the massive assault was two seemingly obscure domain names registered in China.

Matt Weinberg and Duane Wessels work as DNS specialists for Verisign, the US company that operates two root servers and also approves changes to the internet root zone. Weinberg and Wessels carried out an extensive investigation into the flood of junk traffic that most root servers received on 30 November and 1 December 2015. A copy of their presentation [PPTX] is now available online.

The two make a number of conclusions. First that a relatively new system for combating DDoS attacks – response rate limiting (RRL) – proved effective, reducing the volume of traffic by 60 per cent.

They also conclude that although all but three of the root servers received heavy traffic, causing four to drop offline for a short period of time, the attack was not directed at the root servers, but at two specific domain names – 336901.com and 916yy.com – which do not currently resolve and which are both registered in China with fake or anonymous details.

Terrorist involvement?

Despite what security expert John McAfee claimed following the assault, the researchers remain convinced that the IP source addresses from which the invasion originated were spoofed. They link to a video that would appear to show that there is clearly a computer program generating spoofed addresses, and provide a number of graphical representations of the attack traffic that appear to back up their point.

There is no mention in the report of claims that the DDoS attack stemmed from a smartphone app reportedly used by the Islamic State to spread news and propaganda (the ISIS Amaq News Agency app).

McAfee claimed in response to earlier information from the invasion that IP addresses were spread broadly across the IPv4 address space, which would be "virtually impossible using spoofing." However, Weinberg and Wessels say there were in fact three different assaults going on at the same time: a broad but low-volume attack coming from a huge number of IP address (895 million of them, as McAfee mentioned) and then two more high-volume attacks that cycled through IP address blocks. There were just under 5,000 IP addresses that accounted for 86 per cent of the traffic and of them, only 200 accounted for 68 per cent of the attack traffic.

The researchers identify that it was a specific attack (as opposed to a random error) with command and control instructions being identified, and that the attack occurred through a botnet that used the well-known "BillGates" malware.

That doesn't mean the theory of a new ISIS DDoS app is wrong. It's just not as likely as the pre-existing situation where there are a number of botnets across the world used to carry out such assaults.

Halting the attacking required expert interference: DNS specialists reviewed the attack traffic and developed a filter to cut it out. When the root server operators agreed and installed it, the attack traffic was killed stone dead.

While the researchers note that hitting the Enter key and killing off the attack instantly was very satisfying, they warn that having a system that requires expert analysis and manual deployment is far from ideal. Such an approach does bring with it the risk of unintended consequences.

Mitigation: RRL standard helped cut attack traffic, but a manual filter was required to kill it

Why did the assault happen at all? That's still hard to know. The domain names that are at the center of things don't appear to have any special relevance, although it is possible they were being used for some nefarious purposes to the extent that someone decided they needed to be taken down. But that's pure speculation.

As to how to limit the impact of future attacks: the RRL improvement that was first introduced in version 9.9.4 of the BIND software used by a large number of root servers in September 2013 helped significantly. But the size of the attack was such that it didn't prevent significant problems.

A better solution – as ever – is for all ISPs to implement existing best practices (such as the BCP 38 standard) and so limit the ability to spoof attacks.

Another solution that has been put forward by the creator of RRL – former operator of the F-root server Paul Vixie – is to develop a liability model that would penalize network operators that allow attack traffic to flow across their networks.

In that sense, this week's presentation lists the top 20 ASN numbers and their owners through which most of the assault traffic flowed. Of the 20, nine are in the United States and five are in China.

Top of the list: Purevoltage Enterprises based in Seattle.

If the world's governments take their pledges to work on cybersecurity seriously, details such as who is responsible for the networks across which the bulk of attack traffic is crossing could prove useful. ®