An unprecedented network attack at Australian hosting giant VentraIP has raised alarms after cybercriminals reportedly usurped Australian home devices to flood the vendor with traffic.
On Saturday morning, the country’s largest privately owned web hosting provider and domain registrar told customers it had identified an ongoing distributed denial-of-service (DDoS) attack against its services.
From approximately 10.30am to 2.30pm, VentraIP’s team worked to restore a “partial or complete loss” of service that hindered the availability of several customer websites.
By roughly 5.40pm, the company confirmed it had tentatively mitigated the attack – but questions remained about how a threat actor managed to send out enough traffic to topple a major vendor.
In a post-incident response on Sunday, VentraIP told customers the attack was largely driven by compromised devices on Australian home internet connections.
The attack was so large that it overwhelmed conventional mitigation methods, VentraIP explained.
“For clarity and context, the size of the attack was estimated to be in excess of 600Gbps, with much of the traffic coming from compromised devices on Australian home NBN connections,” said VentraIP.
“Due to its sheer volume, two major telco providers, who we use for our data transit services, were taken completely offline, while saturating all of our own peering links.”
VentraIP – which services 300,000 customers with domain names, web hosting, SSL certificates, and virtual servers – said the attack had prompted a rethink of how it approaches DDoS risks.
VentraIP customers reported website outages via social media. Source: VentraIP Facebook page
“In 18 years, we have never seen an attack of this size or scale,” said VentraIP.
“Whilst our existing capabilities have served us well for many years, this has now prompted us to completely rethink our mitigation strategy as it is clear the risk profile has changed.”
Information Age understands VentraIP’s sister company Synergy Wholesale was also affected during the incident.
High-speed, high threat
Though VentraIP did not specify whether the bulk of the malicious traffic came from consumer routers, internet-of-things (IoT) devices, or a mix of both, Cheyne Jonstone, co-founder of VentraIP’s parent company Nexigen Digital, said the attack was made possible by high-speed NBN connections.
Though such attacks traditionally come from compromised servers and are subject to providers’ outbound detection and mitigation methods, Jonstone said the VentraIP incident was “completely different”.
“With NBN services allowing for far greater upload capacity than previous DSL services, the ability to flood our peering and transit networks was far easier,” he told IDM.
VentraIP did not share precise details about the methodology of the attack, but such large-scale incidents can typically be achieved via malicious botnets where consumer-grade devices are compromised and controlled at scale to conduct wider cyberattacks.
Vaughan Shanks, chief executive of Melbourne-based incident response vendor Cydarm Technologies, said that without more details being known, the attack would most likely have involved an IoT-based botnet which was used as a DDoS-for-hire service.
“The IoT angle is confirmed by VentraIP's remark about [home devices] being compromised,” Shanks told Information Age.
He noted the timing of the attack also aligned with recent takedown and arrest actions the US Federal Bureau of Investigation and international partners had conducted against operators of multiple major, international botnets.
Second major provider in a fortnight
VentraIP believes the attack was conducted by the same group which targeted another major Australian provider within a two week period.
Though VentraIP did not name a specific company or threat actor, Brisbane-based cloud provider Binary Lane similarly suffered “the largest DDoS attack” it had ever observed on 15 May.
“The attack has been significant enough to affect our primary upstream provider, which has had to drop our ports several times to protect their wider network — most recently because the attack resumed each time we were re-added,” Binary Lane said.
With traffic outside of Sydney suffering higher latency and reduced throughput, most of the disruption lasted about six hours, while run-on recovery efforts persisted until 18 May.
Information Age understands investigations are ongoing in cooperation with the Australian Signals Directorate (ASD).
ASD declined to comment, though Binary Lane has promised a “full post-incident review” once ASD engagement is at a point where the company can “share the technical picture without compromising it”.
