Protect Against DNS Bitsquatting with TLS

Bitflipping occurs when 1s and 0s spontaneously flip at various levels in the stack (memory, network, storage) and when not corrected, can cause erroneous hostnames to materialize.  My first exposure to bitflipping was at Yahoo!; my team had the foresight to acquire our bitflipped permutations many years prior.  As the topic of bitsquatting surfaces every now and again I decided to test the premise myself. I picked a key domain name that I knew carried an enormous portion of internet traffic, “rented” the bitflipped permutations (I unregistered the domains within 72 hours), and soon started receiving stray http requests intended for major web properties (the top requested host headers were for two tech giants with a combined market cap over 700B).

Completely absent from the http logs (but present on the authoritative DNS logs) were host names for sites that ran full TLS/SSL.  Clients directed to my Apache instance over :443 wouldn’t proceed since I wasn’t the correct entity…SSL for the win! While I could have generated self-signed certs, this was beyond the scope of my weekend, and many of the requests were from mobile apps which may not present an “accept a mistmatch/invalid cert” prompt.

In summary, while registering bit flipped permutations of your domain can improve security, far more mileage is achieved by simply migrating to full SSL.

Here’s how you can quickly explore the world of Bitflipping:

1. Select your domain of choice. Since bitflips are infrequent, your odds are improved by using a popular record.

2. Use this simple script I hacked together to find the permutations.

./bit_flip_permutations.py -d $resource_record

3. Quickly list out which domains aren’t registered yet.


for i in `./bit_flip_permutations.py -d $resource_record`;
do
    whois $i.com | egrep '^No match|^NOT FOUND|^Not fo|AVAILABLE|^No Data Fou|has not been regi|No entri';
done

4. Register them with a good Registrar (I recommend NameCheap, great DNS support), and don’t forget to unregister them within 72 hours.

5. You’ll get more data if you can run your own authoritative DNS server with full logging.