There is a story floating around that U.S. financial firms have been warned of an al Qaeda cyber attack tomorrow (Friday). According to the story, the attack would be directed against banks and online stock trading firms.
So, how have banks and brokers reacted? Sniffingly:
Robert Albertson, chief investment strategist at Sandler O’Neill & Partners in New York, said it was unlikely al Qaeda members could do serious harm to financial Web sites.
“I’m not saying there aren’t precautions to be taken, but I just can’t fathom how there would be serious havoc,” he added.
So boys and girls, let’s think this through. Could al Qaeda take down a few banks and brokers?
Let’s start by assuming that an online broker/bank has somewhere between 100 mbps and 1Gbps in bandwidth. Let’s further assume that you need not saturate that entire pipe on your own, that, for the sake of argument, you need only get to 25%, assuming normal traffic flows. In other words, you’d need to produce a sustained 250 mbps, assuming 1 Gbps pipes to an eTrade.
For sure al Qaeda would need a few computers to do that sort of thing. And they’d need to have varying IP addresses, or they’d be blocked almost immediately.
So, could al Qaeda do it? You bet: via botnets. The largest botnet that has been taken down so far was 120,000 nodes, which is far more than you’d need for this job. A typical hacker estimate is that you can take down your average corporate site with a 500 to 1,000-machine botnet, and so let’s say you need to rent access to a 5,000 to 10,000-machine botnet to do a bank or broker. (In case you’re curious, large botnets have been shown to suck up as much as 40 Gbps in bandwidth.)
And those sort of botnets? They’re everywhere, with something like a million PCs worldwide in some form of zombified state. The largest botnet found to date was 120,000 PCs, and CERT and others have shown that 50,000-node botnets are out there, while smaller botnets, the kind we’d need for this job, are positively thick on the ground.
The upshot: Sanguine sorts who think that U.S. banks and online brokerage are somehow safe from distributed denial of service (DDoS) attacks are kidding themselves. Not only are future DDoS attacks on such crucial sites possible, they’re pretty much inevitable — and getting cheaper all the time.