BH 2011: Bit-squatting – DNS hijacking without exploitation

Bitsquatting title slideNo doubt that, when typing a domain into our web browsers, we’ve all fatfingered and found ourselves not at the page we intended, but at a typosquatted domain that aims to benefit from our mistake.

But Artem Dinaburg’s paper “Bit-squatting DNS Hijacking without Exploitation,” presented last week at the Black Hat security conference, explores how bit-flipping in memory chips or CPU caches can also cause you to visit a wrong domain that may be one character off from the real one.

Why do bits flip? Dinaburg postulates that most often this is a consequence of either cosmic rays, or operating devices outside of their optimal temperature range. The latter is likely more frequent in smartphones and other handheld devices that are used in a wide variety of environmental conditions.

Dinaburg conservatively estimates that 614,400 memory errors occur per hour globally. Not all of these could impact a DNS request, but this is still a significant opportunity for problems to occur.

The average computer does 1,500 DNS lookups per day, but only three of the addresses are typed in by a human being.

So Dinaburg registered 31 domain names that were one bit off from popular services like,, doubleclick and several CDNs. He ran the experiment for approximately seven months.

During his experiment 52,317 requests were received from 12,949 unique IP addresses. Below is a chart showing his traffic volumes per day.

Daily bitsquat traffic chart

There were a few spikes in his results. The first two appear to result from a bit error cached at Zynga, the makers of Farmville, while the third seems to be a DNS error cached in a proxy or caching DNS server.

This shows bitsquatting could be criminally profitable if it were to target popular domains, especially domain names for content delivery networks (CDNs) like Akamai and Facebook.

This technique could be harnessed to distribute fake anti-virus or other drive-by exploit-driven scams.

So what can be done about it?

First, as domains can be inexpensively purchased, high volume web providers could proactively register domains that could be bitsquatted, just as some already do to prevent typosquatting, in order to protect their brands and customers.

Dinaburg also suggests that all PCs and internet-connected devices start using ECC memory, a measure that would greatly reduce the frequency of this type of error.

I found Dinaburg to be a dynamic and interesting speaker and his research really innovative. This isn’t likely to be the world’s next big security problem, but it is something all high-volume web service providers should think about.