This article is more than 1 year old

NBN vaults Australia into global top-10 … DDoS attack sources

Or not, if you look at the numbers

Australia has won the dubious honour of being named in the global top-10 DDoS sources, and in its quarterly State of the Internet report, Akamai reckons our tiny number of high-speed fibre broadband users are the cause.

In its Q2 report, Akamai says that attack traffic coming from Australia topped 4 per cent of global DDoS traffic (the world-leaders were the usual suspects – China at 37.01 per cent, the USA at 17.88 per cent, the UK at 10.21 per cent).

The comment is almost a throwaway given the size of the report: “Australia’s appearance on the list is likely due to the increase [sic] adoption of high speed internet access throughout NBN and connectivity of IOT devices in the region.”

Vulture South isn't sure what Internet of Things devices have to do with Australia's DDoS status, but NBN adoption is well worth a proper look.

nbnTM claimed around half a million active premises at June 30 2015 (annual report PDF here). That's closing in on 10 per cent of Australia's entire fixed broadband market, so on the surface of it, there's enough of those connections to make us a decent DDoS source – right?

Not quite.

For a start, more than 85,000 of those are fixed wireless and satellite customers, and can be scratched.

That leaves customers with an active connection to the lamented and soon-to-be completed fibre-to-the-premises rollout: around 400,000 of them. Surely that's enough to explain Australia's chart-topping DDoS growth figures?

The answer is still “no”: by nbnTM's figures, most of the fibre connections are to the cheaper low-speed plans. In its annual report delivered in August, the company said 77 per cent of its customers are currently using services rated at 25/5 Mbps down/up, or 12/1 Mbps (and, of course, actual throughput also depends on things like what size backhaul pipe a retail ISP buys).

That's barely different from the millions of customers on a notional 20 Mbps-plus ADSL2+ service.

Just 22 per cent are on 50/20 Mbps or 100/40 Mbps plans – a grand total of 88,000 customers whose upload speeds are sufficient to mount a decent DDoS attack.

How many of those are being compromised, zombified, and used to mount DDoS attacks?

Not many, it seems. The same annual report yields a couple of other informative data points:

  • The average monthly upload from an NBN customer was 16 GB; and
  • Uploads were at best flat throughout the year, with a slight decline from the end of 2014 to June 2015.
NBN usage chart

Can you spot the DDoS upload traffic spike? Neither can we

Image: nbnTM

Even non-spoofed IP addresses – since that's how Akamai assigns an attack to a country – don't help, because nbnTM doesn't hand out addresses.

Addresses are handed out by retailers, meaning that DDoS traffic coming from Telstra, Optus, TPG/iiNet, and so on, will come from different IPv4 address blocks.

It's perfectly feasible that Australia hosted a bunch DDoS attacks, but The Register thinks the NBN's role in the attacks is a red herring. ®

More about

TIP US OFF

Send us news


Other stories you might like