Banks, Meet DDoS

Banks are highly regulated. And that makes sense, considering how intrinsic banking and money has become in our lives. They’re regulated by the Securities and Exchange Commission (SEC) as to when, how often, and how much of their daily business they have to report. The SEC even regulates how the banks can be laid out. Did you ever wonder why the investment section isn’t in the same part of the room as the tellers? Blame the SEC for that.

Banks are also regulated, even more specifically by the Federal Financial Institution Examination Council (FFIEC). Despite what you might imagine because of the recent scandals, these regulations are specific. 

And now, according to Network World and Hacksurfer, banks also have to take on DDOS attacks.

A DDoS or Distributed Denial of Service attack is the most common and probably easiest way to take down a major institution’s website/network. There are Linux distributions that come with DDOS tools built in, and the system is optimized to use them. They’re called Penetration Testing, or pentest. There’s even a Linux build for the Raspberry Pi. They’ve got a magazine and everything.

ALGORITHM, my movie, deals with just these kinds of tools, how they’re used, and what they’re use means to the world.

A DDoS attack works as follows: when computers talk to each other, they first have to establish that they want to talk. Computer A will say, “Hello” and then wait until Computer B says, “Hello. What do you need?” 

If computer A doesn’t wait for Computer B to respond, but instead, keeps saying “Hello,” over and over again, faster than Computer B can respond, Computer B puts hello requests in a buffer, so it can deal with them one at a time. If the barrage continues, the buffer can overflow, giving Computer A access to Computer B that Computer A isn’t supposed to have.

There’s really very little that can be done to deal with a DDoS. Of course, there are safeguards that can and have been developed lately. But, within months of those safeguards being implemented, the hackers found a way around them.

The only real way to block a DDOS attack, for certain, is to have way more computing power than the attacker. Places like Google and Facebook are nearly invulnerable to DDOS attacks because they have hundreds of thousands of computers waiting at the door to say, “Hello. What do you need?”

What are banks supposed to do? Some of the larger banks might be able to build data centers, but the smaller, local banks haven’t really got a chance. They’re only option will be to put in exactly what the FFIEC requires and no more. Or, outsource.