3 June 2026 DDoS Security

VentraIP's 600Gbps DDoS Attack: How Australian Home Devices Brought Down a Web Host

On 23 May 2026, VentraIP — Australia's largest privately owned web host, serving 300,000 customers — was hit by a DDoS attack its founders had never seen in 18 years of operation. At over 600Gbps, the assault was large enough to knock two of VentraIP's upstream telco providers completely offline and leave customer websites, email services, and virtual servers inaccessible for nearly three days. The source of the attack was striking: compromised devices inside Australian homes, their NBN connections turned against the country's own digital infrastructure.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

Three Days Offline: Inside the VentraIP Outage

At approximately 10:30 AEST on Saturday 23 May 2026, VentraIP's network operations team confirmed an ongoing distributed denial-of-service attack against its infrastructure. Customers began reporting a partial or complete loss of access to their websites, email services, and hosted applications almost immediately. By mid-afternoon, VentraIP reported tentative mitigation — but the attack was far from over. It took until 09:12 AEST on 26 May for the incident to be declared fully resolved, a span of nearly three days.

The scale was unprecedented. VentraIP's post-incident communications put the attack volume at in excess of 600Gbps, and Nexigen co-founder Cheyne Jonstone suggested the peak may have exceeded the terabit mark. To put that in context, a single gigabit connection handles approximately 125 megabytes of data per second. At 600Gbps, the attacking traffic was equivalent to filling roughly 75 gigabytes of data every second — sustained for hours.

The blast radius extended well beyond VentraIP itself. The attack was large enough to take two major upstream telco providers that VentraIP uses for data transit completely offline, while simultaneously saturating all of VentraIP's own peering links. When transit carriers go dark, downstream customers lose connectivity regardless of any mitigation steps taken at the hosting layer. In a statement, VentraIP noted: "In 18 years, we have never seen an attack of this size or scale."

VentraIP services approximately 300,000 customers across domain registration, shared web hosting, SSL certificates, and virtual private servers. That customer base skews heavily toward Australian small businesses, sole traders, and web developers managing client sites. Many of those businesses had no public-facing presence and no way to communicate with customers via email for the duration of the outage. For a weekend attack on an SMB-heavy customer base, the timing was well-chosen: reduced IT staffing, higher ecommerce traffic, and limited capacity to respond quickly.

The attack was eventually attributed to a botnet composed primarily of compromised devices on Australian home internet connections. Sources cited in Information Age (ACS) describe the assault as most likely involving an IoT-based botnet, potentially operating as a DDoS-for-hire service. That detail is significant — and is what makes this attack a warning for every Australian home user, not just VentraIP customers.

Why the NBN Made Australian Homes Ideal Botnet Nodes

The involvement of Australian home devices in a terabit-scale DDoS is not accidental. It reflects a structural shift in how the NBN changed the attack surface of Australia's residential internet landscape — and it has significant implications for businesses that assume DDoS threats only originate offshore.

Under the old ADSL and VDSL copper network, Australian home connections were asymmetric by design. Download speeds might reach 20-50Mbps, but upload speeds were typically capped at 1-5Mbps. Upload bandwidth is what matters for DDoS attacks: a botnet device contributes its outbound traffic to the attack volume. A home device on 2Mbps upload contributes a trivial amount to any botnet campaign.

NBN's fibre-to-the-premises (FTTP), fixed wireless, and hybrid fibre-coax (HFC) services changed that equation dramatically. Entry-level NBN plans now commonly include 20Mbps upload, with higher tiers offering 50Mbps or more on FTTP. IDM Magazine noted that the same botnet produces roughly fifty times the traffic on NBN connections compared to the copper infrastructure it replaced. Australia's transition to the NBN — largely completed in the early 2020s — inadvertently created a nationally distributed botnet substrate with far greater capacity than existed before.

The second factor is the state of home devices themselves. Australia's residential networks are filled with consumer routers, smart TVs, IP cameras, network-attached storage (NAS) devices, smart doorbells, gaming consoles, and an expanding range of internet-of-things appliances. The majority of these devices ship with default administrator credentials that most users never change. Many run firmware that hasn't been updated since purchase — or whose manufacturers have stopped issuing updates entirely. Devices running outdated software with known unpatched vulnerabilities are straightforward targets for automated scanning tools.

The economics of DDoS-for-hire reinforce the incentive. Botnet operators sell attack capacity by the hour on darknet marketplaces; a 600Gbps campaign can be commissioned for a few hundred dollars. The buyer specifies a target IP and duration — the botnet herder directs the compromised devices, including those on Australian NBN connections, to do the rest.

This is what happened to VentraIP. Someone rented capacity, pointed it at VentraIP's network edge, and the compromised devices in Australian lounge rooms and home offices did the rest. The victims of the attack were VentraIP's 300,000 customers. The unwitting participants were ordinary Australians whose household gadgets had been quietly conscripted into a for-hire attack service.

How IoT Botnets Are Built — and Why Yours Might Already Be Enrolled

Scanning and initial compromise

IoT botnets begin with automated internet-wide scanning. Tools like Masscan can probe the entire IPv4 address space in under five minutes. Scanners look for devices exposing common management interfaces — Telnet on port 23, SSH on port 22, HTTP administrative panels on port 80 or 8080 — and attempt authentication using lists of factory-default credentials. Manufacturers of budget routers, cameras, and smart devices have historically used simple credentials like admin/admin, admin/password, or a printed serial number that follows a predictable pattern. A device with an unmodified default login is compromised in seconds once a scanner finds it.

The Mirai botnet, first identified in 2016, popularised this approach and its source code has since been adapted into dozens of successor families — Moobot, Satori, and others — that continue to circulate globally. The mechanism remains unchanged: scan, authenticate using defaults, deploy malware that connects back to a command-and-control (C2) server and awaits instructions. Many implementations don't persist across reboots but rely on rapid reinfection, continuously scanning for new targets.

Amplification and the Australian upload problem

Once a device is enrolled in the botnet, the C2 infrastructure can direct all infected devices simultaneously to flood a target. Volumetric DDoS attacks — the type used against VentraIP — work by consuming the target's inbound bandwidth, overwhelming the network interface before requests even reach a web server. At 600Gbps, the target receives more data per second than most Tier 1 internet exchanges can process, which is why VentraIP's upstream telco providers were collateral damage: the traffic volume saturated transit links shared by many customers, not just VentraIP.

The NBN makes Australian home devices disproportionately valuable in this model. A botnet of 60,000 devices, each contributing 10Mbps upload, generates exactly 600Gbps of attack traffic. On old ADSL with 2Mbps upload, you'd need three million devices to achieve the same volume. The same botnet produces fifty times the impact on NBN. Australia's approximately 10 million active NBN services — concentrated in suburban areas, heavily IoT-device-equipped — represent a premium attack substrate that botnet operators increasingly target for recruitment.

DDoS-for-hire: the commodity market for disruption

The botnet infrastructure used against VentraIP was most likely rented rather than purpose-built. "Stresser" or "booter" services advertise on darknet forums and, in some cases, on the clearnet, offering volumetric DDoS capability by the hour or gigabit. Pricing is openly listed; a campaign of several hundred gigabits for a few hours costs less than a tank of fuel. The end buyer doesn't interact with any technical infrastructure — they enter a target address, select a duration and intensity, and pay via cryptocurrency.

This commoditisation means a disgruntled competitor, a fired contractor, or an opportunistic criminal can commission an attack that takes down an SMB's online presence for days. The ACSC has consistently noted that denial-of-service attacks are a persistent and growing threat to Australian businesses — and the VentraIP incident shows that a single targeted attack can cause collateral damage across thousands of unrelated organisations.

What Australian Businesses on Shared Hosting Should Do Now

The VentraIP outage is a case study in collateral damage. None of VentraIP's 300,000 affected customers were the intended target of the attack — they were simply on the same infrastructure. That's the inherent risk of shared hosting: when the infrastructure is targeted, every tenant on it suffers. This isn't a criticism of VentraIP specifically; a 600Gbps attack would challenge any hosting provider without purpose-built anti-DDoS infrastructure. The lesson is about architecture, not vendor choice.

Audit your hosting provider's DDoS capability

Before the next incident, find out what your hosting provider actually does when a DDoS attack occurs. Ask: Do they have upstream scrubbing capacity? Is DDoS mitigation included in your plan or a paid add-on? What's the escalation process and notification timeline? Providers vary widely here — some have multi-terabit scrubbing centres, others have nothing beyond rate limiting at the edge. If your provider can't give a clear answer, that's informative.

Put a CDN or reverse proxy in front of your site

A content delivery network (CDN) absorbs volumetric traffic before it reaches your origin host. Cloudflare's free tier has handled multi-terabit attacks without origin servers seeing a packet. For a small business website, the setup is straightforward: point your DNS to the CDN, configure the origin server, and the CDN shields your actual IP address from the internet. Even if your hosting provider is under attack, a CDN layer means your site may remain reachable through the CDN's own scrubbing infrastructure.

Keep your DNS TTL low and document a failover plan

DNS time-to-live (TTL) values control how long resolvers cache your domain's IP address. A TTL of 86,400 seconds (24 hours) means a broken IP address continues to be served to visitors for up to a day after you change it. Reducing your TTL to 300 seconds as a standing configuration dramatically reduces failover time. Document an emergency procedure: where is your backup hosting, who can access DNS management, and who is authorised to make changes under pressure?

Consider redundancy for mission-critical sites

For businesses where website availability directly equates to revenue — ecommerce, service booking, client portals — single-provider shared hosting is a single point of failure. A secondary VPS or cloud instance (even a modest $10-per-month instance on a separate provider) running a static emergency page with contact information and key links costs little to maintain and provides a fallback if your primary host is unreachable. Combined with DNS failover automation, this can reduce downtime from hours to minutes.

Review the Cyber Security Act obligations

Under Australia's Cyber Security Act 2024, businesses with annual turnover above $3 million that are targeted by a cyber incident — including DDoS — may have obligations under the Critical Infrastructure framework if they operate relevant infrastructure. Even if your business falls below that threshold, the ACSC's Essential Eight mitigation strategies apply: in particular, the patching and backup controls are directly relevant to the botnet threat discussed in this article.

How to Stop Your Home Devices Becoming Part of the Next Attack

The uncomfortable reality of the VentraIP attack is that some participating devices were sitting in the homes of the same SMB owners whose websites went offline. Securing home devices isn't just personal hygiene — it's a contribution to the resilience of Australia's shared internet infrastructure.

Update your router firmware — now

Consumer routers are the most common initial target for botnet recruitment, and most ISP-provided routers in Australia have automatic updates disabled by default. Log into your router's management interface, check for available firmware updates, and install them. If your router is more than five years old and the manufacturer has stopped issuing updates, replace it — legacy devices with unpatched vulnerabilities remain permanently compromised regardless of any other precautions. Many ISPs will replace outdated modem-router hardware through their equipment programme at no or low cost.

Change default admin credentials on all devices

Every networked device in your home — router, NAS, IP camera, smart home hub — was shipped with a factory admin password. That password is listed in the product manual, on the manufacturer's website, and in botnet scanning databases. Changing it takes two minutes and immediately removes your device from the pool of easy targets. Use a unique, strong password for each device's management interface, and store it in a password manager rather than a sticky note on the device itself.

Disable UPnP on your router

Universal Plug and Play (UPnP) allows devices on your home network to automatically open ports on your router and make themselves accessible from the internet. It was designed for convenience — printers, game consoles, and media servers use it. It is also a significant attack vector. Malware on a compromised device can use UPnP to open ports for command-and-control communication or to expose other devices to external scanning. Disable UPnP in your router's settings unless you have a specific, tested reason to keep it enabled.

Segment IoT devices onto a separate network

Most modern home routers support a guest network feature. Putting your smart TV, cameras, doorbells, and other IoT appliances on the guest network — isolated from your main devices — limits the damage if any of them is compromised. A botnet-infected smart fridge on the guest network cannot reach your work laptop; it can only reach the internet and other guest-network devices. This segmentation is one of the more practical home security measures available without specialist equipment.

Monitor for anomalous upload traffic

DDoS botnet participation shows up as sustained high upload traffic. Most Australian ISPs provide data usage dashboards — a sudden upload spike, particularly overnight, warrants investigation. If you suspect compromise, contact your ISP and report to the ACSC via ReportCyber at cyber.gov.au.

For businesses with remote workers, basic router security should be a condition of VPN or cloud access. A compromised home router is an entry point to corporate systems, not just a DDoS node. The ASD's Essential Eight addresses patching of internet-facing systems at Maturity Level 1 — home routers qualify when they're the gateway to corporate resources.