The regulatory gap that allows compromised Australian home devices to be weaponised in large-scale distributed denial-of-service (DDOS) attacks will remain open for the foreseeable future.
The Department of Home Affairs and the Australian Communications and Media Authority failed to address questions from IDM on whether any Australian law, regulation, or industry code imposes an affirmative duty on any party in the access-network supply chain to detect, notify about, or act on outbound DDoS traffic from compromised customer premises equipment.
A terabit-scale DDoS attack on May 23, 2026 took VentraIP, Australia's largest privately owned web host, offline for most of the day, with attack traffic attributed substantially to compromised devices on Australian home NBN connections
Home Affairs cited SOCI Act incident-reporting obligations that apply to victims of attacks - not to network operators in respect of traffic originating from their own customer base. ACMA directed questions to Home Affairs. The Australian Signals Directorate confirmed on background that identifying regulatory gaps is not its function. The Australian Telecommunications Association advised the questions were outside its jurisdiction.
No body identified any instrument that addresses who, if anyone, in the wholesale-access, retail-access or backbone layer carries an obligation in respect of outbound attack traffic. None indicated the question is under active consideration.
The threat extends well beyond hosting providers. Australian enterprises and government agencies cannot rely on the wholesale or retail access layer to filter outbound botnet traffic, meaning the cost of defending against attacks sourced from compromised residential connections falls entirely on the targets.
Can NBN Co act on attack traffic on its own network?
A central question raised by the VentraIP attack is whether NBN Co, as the wholesale access operator with a connection to every NBN-served premise, has any technical capability to detect outbound traffic consistent with botnet activity - and whether any obligation requires it to use that capability.
No privacy or interception law appears to prevent outbound anomaly detection. No regulator currently requires it.
NBN Co responded on background, stating that as a Layer 2 wholesale network provider, DDoS attacks at OSI network layers 3, 4 and 7 are outside its visibility, also stating that responsibility for detection and mitigation lies with the ASN or IP range owners, typically the relevant RSP(s) or hosting provider(s).
It added that while it constantly monitors network performance, it does not undertake deep packet inspection.
Professor Vijay Sivaraman, Professor of Telecommunications at UNSW Sydney and co-founder of network telemetry firm Canopus Networks, confirmed NBN Co's Layer 2 characterisation is technically correct, and identified the RSP layer as the more practical point of intervention. The Retail Service Providers (RSPs) are the companies such as Telstra, Optus, TPG and iiNet that purchase wholesale access from NBN Co and sell internet services directly to residential and business customers.
"NBN is a layer-2 provider, which means its job is to deliver Ethernet frames from the router in the consumer’s [home] to the ISP’s router located at the point-of-interconnect (POI) exchange. NBN is not meant to be looking at the content of the frames, in fact not even the IP addresses contained in the IP packets within the frames. Therefore, in my view the NBN cannot be expected to provide DDoS scrubbing,” Professor Sivaraman told IDM.
“The RSP is probably in a better position to tackle this issue, both in preventing spoofed outbound traffic (which is easy), as well as blocking inbound volumetric attacks (which can be harder as it requires the Netflow/IPFIX extraction and analysis).”
Professor Sivaraman identified two distinct problems at the RSP layer, both technically addressable and both currently unregulated. Source address validation - filtering outbound packets with falsified source IPs - is described by the IETF's BCP38 standard as straightforward to implement. Detection of high-volume traffic from legitimately assigned addresses, as appears to have occurred in the VentraIP attack, requires flow telemetry analysis. No Australian law or instrument currently requires any RSP to implement either measure.
The installed base
The Cyber Security Act 2024 and Security Standards for Smart Devices Rules 2025 apply to devices manufactured from 4 March 2026. The existing installed base of routers, cameras and IoT equipment in Australian homes - the threat surface that made the VentraIP attack possible - is outside scope and will remain so indefinitely.
Cheyne Jonstone, co-founder of VentraIP parent company Nexigen Digital, told IDM, “I do believe there needs to be far more education to home and small business users about the potential dangers of compromised devices existing on their home or business networks.
“And yes, I believe this will cost end users in the long term as network operators will need to shoulder significant capex and opex to prevent these attacks from happening, especially with the lack of education to end users.
“As a provider of web hosting services, we have tried for nearly two decades to educate our own customers on the importance of keeping their websites up to date and secure, in an environment that we manage - I can only imagine how difficult it would be for an RSP to educate home users as to why connecting everything that comes with wifi to their network," Jonstone said.
Lesley Seebeck, an independent consultant and Honorary Professor at the Australian National University, who previously headed the ANU Cyber Institute and has held senior executive roles across the federal government, endorsed more action but urged caution about additional regulatory controls, citing risks around resourcing, capability and surveillance.
“An alternative approach could be one of radical transparency, for example: rather than a closely held feed of classified threat intelligence, ACMA/ACSC could maintain a public, real-time dashboard showing volume of malicious traffic leaving Australian ASNs; focusing on manufacturers, requiring secure-by-design; oversight panels independent of the intelligence community, encouraging (or requiring) acceptance of open-source router firmware and network micro-segmentation for IoT devices,” said Seebeck.
Autonomous System Number (ASN) is a unique identifier assigned to a network or group of networks under a single administrative control, such as an ISP or large enterprise, that exchanges routing information with other networks on the internet. In practice, each major telco and RSP operates one or more ASNs.
A public dashboard showing malicious traffic volumes by ASN would effectively name which providers' networks are generating the most outbound attack traffic, creating a transparency and reputational incentive to act even in the absence of a legal obligation.
DDOS Attacks Surge
The ASD/ACSC Annual Cyber Threat Report 2024-2025 recorded a 280% year-on-year increase in DDoS incidents handled by the ACSC and acknowledged a growing residential botnet attack surface but does not address carrier-layer obligations.
The Australian government’s 2023-2030 Australian Cyber Security Strategy does not address residential botnet sourcing or carrier-layer visibility as distinct policy problems.
No parliamentary inquiry, ACMA consultation, Communications Alliance code, or ACSC guidance addresses the question of who in the network supply chain is responsible for outbound attack traffic from Australian residential connections.
The technical means to detect and act on that traffic exist at both the NBN wholesale layer and the RSP layer. The obligation to use them does not.