Some Bitsquatting Observations

I registered a basket full of bit-squatting domains last year and as they all recently expired I thought I’d give a few observations about my experience.

The idea is that memory errors on end devices or intermediate equipment results in occasional bits being flipped in memory. Where one of these flips happens to land on a domain name in memory, the flip might change it to another valid character and send traffic to the corrupt domain instead. While these errors are exceptionally rare, the internet is exceptionally big so we can observe this behaviour with high enough traffic domains. You can read read about it here and there’s a good video here about this and other fun DNS stuff.

Now despite reading the papers and seeing the presentations it still seemed a bit far out, so as domains are cheap I registered a few to validate this for myself as it looked quite fun. I was surprised at the time that so many squats were available despite this being a well known issue with talks being given at Defcon, even the the exact domains provided in papers/talks were available. I was also a bit disappointed at this, are the companies subject to the publicised squats not interested in preventing further abuse of this? And why were the security community not picking these up to validate for themselves or just for a laugh?? Oh well..

My set-up used a slightly modified copy of dnschef to serve requests, a web server logging connections and headers, smtp-sink to log emails and logging of DNS lookups and some other traffic with tcpdump. Unfortunately due to a cock up I blew the six months of results away in a botched migration. Oh well..

I pretty much ended up with the same observations as others that presented their findings, lots of requests for well used domain names and a significant number from mobile devices and not many verifiable bit flip hits on the less popular domains.

There were a decent number of requests that could have been pretty bad for the squatted organisation had they been taken advantage of such as lookups for internal host names from the organisations themselves, requests for certificates and software updates and the likes.

No valid SMTP traffic was observed logging email headers but there was an insane quantity of spam. I’m not entirely sure whether the spammers had been subject to bitflips or whether they just had typos in their lists but it was enough to make me give up on this monitoring very quickly.

As about 12 months had passed since my disappointment in so many of the squat domains being available, I compared the availability now to then. This time about there was a more marked change.

One example would be in the domain that was used in the demonstrations and presentations:

  • – October 2013 – 26 squats unregistered
  • – October 2014 – 0 squats unregistered

This reduction in availability was observed in other domains too, interestingly most of the gstatic squats and some of the other domains appear to have been registered by the same individual with the name servers at so at least some one is having fun 🙂

I’d recommend trying some bit squatting out, it’s easy and cheap to do and with some careful domain choice it can lead you to some amusing and unpredictable results. Plus it’s funky knowing that a cosmic ray might just be the cause for that traffic coming your way!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s