Could Botnets Take Down Banks and Online Brokers?

There is a story floating around that U.S. financial firms have been warned of an al Qaeda cyber attack tomorrow (Friday). According to the story, the attack would be directed against banks and online stock trading firms.

So, how have banks and brokers reacted? Sniffingly:

Robert Albertson, chief investment strategist at Sandler O’Neill & Partners in New York, said it was unlikely al Qaeda members could do serious harm to financial Web sites.

“I’m not saying there aren’t precautions to be taken, but I just can’t fathom how there would be serious havoc,” he added.

So boys and girls, let’s think this through. Could al Qaeda take down a few banks and brokers?

Let’s start by assuming that an online broker/bank has somewhere between 100 mbps and 1Gbps in bandwidth. Let’s further assume that you need not saturate that entire pipe on your own, that, for the sake of argument, you need only get to 25%, assuming normal traffic flows. In other words, you’d need to produce a sustained 250 mbps, assuming 1 Gbps pipes to an eTrade.

For sure al Qaeda would need a few computers to do that sort of thing. And they’d need to have varying IP addresses, or they’d be blocked almost immediately.

So, could al Qaeda do it? You bet: via botnets. The largest botnet that has been taken down so far was 120,000 nodes, which is far more than you’d need for this job. A typical hacker estimate is that you can take down your average corporate site with a 500 to 1,000-machine botnet, and so let’s say you need to rent access to a 5,000 to 10,000-machine botnet to do a bank or broker. (In case you’re curious, large botnets have been shown to suck up as much as 40 Gbps in bandwidth.)

And those sort of botnets? They’re everywhere, with something like a million PCs worldwide in some form of zombified state. The largest botnet found to date was 120,000 PCs, and CERT and others have shown that 50,000-node botnets are out there, while smaller botnets, the kind we’d need for this job, are positively thick on the ground.

The upshot: Sanguine sorts who think that U.S. banks and online brokerage are somehow safe from distributed denial of service (DDoS) attacks are kidding themselves. Not only are future DDoS attacks on such crucial sites possible, they’re pretty much inevitable — and getting cheaper all the time.


  1. Yes, but the corollary to the tools for the attack getting cheaper all the time is surely that the tools for the defence are getting cheaper too. The ever-falling cost of bandwidth helps both sides.
    Also, if banks start to suffer significant losses from botnet attacks they’ll commit their resource to counter-measures instead of complacency. If CERT can find botnets with the sort of resources that are available for pure research, the banks can certainly find them. But I don’t know what if anything a bank could do to cripple a botnet once it had tracked it down – anyone?

  2. Your point was that the investment community is dripping hubris and in denial about the potential severity of a botnet attack. I’m not arguing with the technical case you presented, since I just don’t know and since it sounds credible.
    But the quote that you use to conclude that the industry as a whole is complacent comes from a chief *investment strategist*. Asking a portfolio manager about the IT infrastructure is like asking the chief of surgery at a hospital whether the building is structurally sound in the event of a hurricane or earthquake. A smart guy giving an opinion outside his domain of expertise is as likely to be wrong as the village idiot.

  3. If we don’t allow portfolio managers to opine on topics for which they don’t have detailed knowledge, what will they talk about on TV and at client reviews?

  4. i often have the thought: what if someone as creative and mentally capable as me were one of those as evil and motivated as al qaeda or whoever.
    thankfully, so far, they are idiots with little imagination