Objective: Detect and analyze the frequency of bit flips for an average internet user through the use of bitsquatting.
Bitflips occur when a bit in memory flips it's value. For example when your browser attempts to resolve example.com it stores the string in memory as:
e | x | a | m | p | l | e | . | c | o | m |
---|---|---|---|---|---|---|---|---|---|---|
01100101 | 01111000 | 01100001 | 01101101 | 01110000 | 01101100 | 01100101 | 00101110 | 01100011 | 01101111 | 01101101 |
If one of those bits flips to the opposite value the domain will change. For example, if the 4th bit in the first byte changes from a 0 to a 1, the string will look like this:
u | x | a | m | p | l | e | . | c | o | m |
---|---|---|---|---|---|---|---|---|---|---|
01110101 | 01111000 | 01100001 | 01101101 | 01110000 | 01101100 | 01100101 | 00101110 | 01100011 | 01101111 | 01101101 |
As you can see the domain has changed to uxample.com. In most cases, these domains are not registered and the request silently fails.
For furthur information about bit flips I highly recommend Robert Stucke's DEFCON 21 talk "DNS May Be Hazardous to Your Health" and Artem Dinaburg's DEFCON 19 talk Bit-squatting: DNS Hijacking Without Exploitation.
Project Bitfl1p was an attempt to gather information about how common bit flips are as well as what environments they most commonly occur in. To reach this goal, I registered hundreds of bit flipped domains for common sites on the internet. When a request was received, the information about the request was logged and, where applicable, returned with additional tracking scripts to gather information about the environment of the user.
This research was presented at DEF CON 23. The slides are available here.
Generate bit-squats of a given domain: bf-lookup
Golang DNS server for answering bit flipped queries: bf-dns
Lighttpd configuration and PHP API scripts: bf-www
Splunk lookups, sourcetypes, and queries for analysing data: bf-splunk
DNS Queries: dns.json.gz (1.4G, 23G uncompressed)
Anonymized Webserver Logs: anon-access.json.gz (81M, 1.2G uncompressed)
Anonymized SSL Logs: anon-ssl.log.gz (80M, 510M uncompressed)
Anonymized SMTP Logs: anon-smtp.log.gz (105M, 493M uncompressed)
I've made no attempts to hide my identity for this project. My contact info can be found in the whois information of all domains I have purchased including this one. If you've got a question, comment, or legal threat please send it to hello@bored.engineer.