What are bitflips?

Bitflips occur when a bit in memory flips it's value. For example when your browser attempts to resolve example.com it stores the string in memory as:

e x a m p l e . c o m
01100101 01111000 01100001 01101101 01110000 01101100 01100101 00101110 01100011 01101111 01101101

If one of those bits flips to the opposite value the domain will change. For example, if the 4th bit in the first byte changes from a 0 to a 1, the string will look like this:

u x a m p l e . c o m
01110101 01111000 01100001 01101101 01110000 01101100 01100101 00101110 01100011 01101111 01101101

As you can see the domain has changed to uxample.com. In most cases, these domains are not registered and the request silently fails.

For furthur information about bit flips I highly recommend Robert Stucke's DEFCON 21 talk "DNS May Be Hazardous to Your Health" and Artem Dinaburg's DEFCON 19 talk Bit-squatting: DNS Hijacking Without Exploitation.

What was Project Bitfl1p?

Project Bitfl1p was an attempt to gather information about how common bit flips are as well as what environments they most commonly occur in. To reach this goal, I registered hundreds of bit flipped domains for common sites on the internet. When a request was received, the information about the request was logged and, where applicable, returned with additional tracking scripts to gather information about the environment of the user.

Where has this been presented?

This research was presented at DEF CON 23. The slides are available here.

Where are the tools?

Generate bit-squats of a given domain: bf-lookup
Golang DNS server for answering bit flipped queries: bf-dns
Lighttpd configuration and PHP API scripts: bf-www
Splunk lookups, sourcetypes, and queries for analysing data: bf-splunk

Where is the data?

DNS Queries: dns.json.gz (1.4G, 23G uncompressed)
Anonymized Webserver Logs: anon-access.json.gz (81M, 1.2G uncompressed)
Anonymized SSL Logs: anon-ssl.log.gz (80M, 510M uncompressed)
Anonymized SMTP Logs: anon-smtp.log.gz (105M, 493M uncompressed)

How can I contact you?

I've made no attempts to hide my identity for this project. My contact info can be found in the whois information of all domains I have purchased including this one. If you've got a question, comment, or legal threat please send it to hello@bored.engineer.