A terabit-scale DDoS attack took Australia’s largest privately-owned Web host offline on Saturday 23 May. The takedown has laid bare a regulatory gap that forces enterprise and government customers to fund the country’s DDoS defences themselves.

No Australian law requires carriers, wholesalers or retail service providers to detect or block outbound malicious traffic from compromised consumer devices. The cost of mitigation falls entirely downstream.

Hosting providers absorb the first hit. They contract premium scrubbing from the likes of Cloudflare, Akamai and Micron21, then pass the cost to enterprise and government tenants through hosting fees. Organisations that self-host or run private or hybrid cloud pay the same vendors directly.

VentraIP and its wholesale sister Synergy Wholesale - both operated by Melbourne-based Nexigen Digital - effectively disappeared from the Internet on Saturday for several hours.

Cheyne Jonstone, Nexigen co-founder and non-executive director, told IDM the Distributed Denial of Service (DDoS) attack likely exceeded the terabit mark. A DDoS attack uses large numbers of compromised devices to flood a target with junk traffic until its internet connections are saturated and it falls offline.

The compromised devices that did the flooding in this case sat in Australian living rooms. A terabit per second is roughly the volume of one hundred thousand simultaneous high-definition Netflix streams, all fired at a single hosting provider.

Eight days earlier, Brisbane-based Binary Lane suffered what it called the largest DDoS attack it had observed. ASD's Australian Cyber Security Centre is engaged with that incident under an open case. Jonstone said Nexigen had been told the source of both attacks was the same.

Asked if those responsible had requested a ransom, Jonston noted, "We had brief communications with them," but did not provide details.

Residential botnets in the Aisuru and Kimwolf families now exceed one to four million compromised devices globally, almost all of them consumer routers, IP cameras and IoT equipment.

The novelty is the volume now possible. Jonstone pointed to the structural shift. "Traditionally, these attacks came from compromised servers and usually hosted from providers that have outbound mitigation," he told IDM.

"This was completely different, and with NBN services allowing for far greater upload capacity than previous DSL services, the ability to flood our peering and transit networks was far easier."

ADSL2-plus delivered around one megabit upstream. NBN HFC and FTTP routinely deliver 40 to 50. The same botnet, on NBN, is roughly 50 times the weapon it was on copper.

NBN maintains that because it acts strictly as a Layer 2 wholesale network provider, DDoS traffic remains entirely outside its operational visibility. From NBN Co's perspective, it does not supply Wi-Fi routers so the legal and operational responsibility to detect and mitigate malicious traffic rests entirely with the retail service providers (RSPs) and hosting providers.

The compromised devices that launched the assault on VentraIP sat in suburban Australian living rooms. Across the Tasman the gap is wider still: New Zealand has no consumer device security regime equivalent to Australia's smart device rules, and no statutory duty on its retail providers to do anything about outbound attack traffic.

The Cyber Security Act 2024 and its Security Standards for Smart Devices Rules took effect on 4 March 2026, requiring new consumer IoT devices in Australia to ship without default passwords, with a defined support period and a vulnerability disclosure process. Obligations sit with manufacturers and apply only to devices made from 4 March 2026 forward.

But the millions of routers, cameras and smart-home devices already in Australian homes - the exact threat surface that crippled VentraIP - are outside scope.

New Zealand's framework is no better, and arguably worse. The Telecommunications (Interception Capability and Security) Act 2013 covers core network security but says nothing about customer equipment or outbound attack traffic. The country has no equivalent of Australia's smart device rules.

The 2021-22 DDoS campaign that took Vocus, Kiwibank, ANZ and several public services offline drew substantially on compromised consumer hardware. A compromised router in suburban Auckland can contribute to an attack on an Australian VPN gateway as easily as one in Sydney.

The bill for that policy vacuum falls on everyone downstream. Hosting providers, enterprises and government agencies must over-provision perimeters, and build defensive infrastructure they would not otherwise need. It is, in effect, a DDoS Tax on the customer side of the network, levied to compensate for the absence of any obligation on the carrier side.

Legally, NBN Co and the major RSPs are acting entirely within the law. The Telecommunications Act 1997 and the Security of Critical Infrastructure Act 2018 require carriers to report attacks against their own infrastructure, but neither imposes any duty to inspect, flag or suppress outbound malicious traffic from customer endpoints.

The closest existing instrument is the Australian Internet Security Initiative run by ASD's ACSC, which sends daily reports to participating retail providers identifying compromised IPs. Participation is voluntary, action is voluntary, and the program bypasses NBN Co entirely.

Australian organisations cannot rely on the wholesale or retail layer to scrub outbound botnet traffic. The DDoS Tax falls on them. Hybrid working has extended the problem inside the corporate boundary.

An unpatched router on a staff member's home connection sits in the network path between sensitive data and the public internet, outside the Cyber Security Act rules, outside any active cleanup framework, and outside the responsibility of the retail provider that may have supplied it. The same logic covers smart TVs, networked printers and conference-room IoT in the office.

To survive the multi-hour onslaught on May 23, Nexigen was forced to emergency-onboard a third upstream provider, GSL Networks, to inject traffic scrubbing capacity mid-attack.

Nexigen has put temporary mitigation in place via a continued arrangement with GSL and is reviewing permanent options.

"It is clear the threat profile has changed," Jonstone said.

IDM has put questions to the Department of Home Affairs, ASD's ACSC, ACMA, the ACCC and Communications Alliance on whether the regulatory gap exposed by this attack is under active consideration.

(This story was updated on May 29, 2026)