What is bitsquatting?

What it is#

Bitsquatting is a form of domain abuse where an attacker registers domain names that differ from a legitimate domain by a single bit in their ASCII representation. The technique was introduced by Artem Dinaburg at DEF CON 19 and Black Hat USA in 2011. Unlike regular typosquatting, bitsquatting does not inherently rely on human typing errors. It exploits hardware-level bit-flip errors in RAM that silently corrupt a domain name stored in memory before a DNS lookup occurs.

Every character in a domain name is stored as a sequence of bits. If a single bit in RAM flips, the character changes to a different ASCII value. The letter i in windows (binary 01101001) becomes h (binary 01101000) when bit 0 flips, turning windows.com into whndows.com. No user mistake is required; the corruption happens inside a device's memory between the moment a domain string is written and the moment it is read for resolution.

A domain string is copied multiple times in memory during a typical request, by the browser, the operating system's name-resolution layer, and the networking stack. Each copy is another opportunity for a bit-flip to corrupt the value before it reaches the network.

How bit-flips occur#

Bit-flips in dynamic random-access memory (DRAM) have been studied extensively. A large-scale field study published by Google examined memory errors across thousands of servers over 2.5 years and found error rates far higher than laboratory estimates. More than 8% of memory modules experienced at least one error per year. One commonly cited extrapolation suggests a consumer machine with 4 GB of RAM has a high probability of experiencing at least one bit-flip within a few days.

Common sources of single-bit errors include:

• Non-ECC RAM in consumer laptops, phones, routers, and Internet of Things (IoT) hardware
• Cosmic ray interactions with semiconductor memory (single-event upsets)
• Aging or defective hardware with degraded memory cells
• Power and temperature fluctuations that destabilize memory cells

The probability of any individual bit-flip is minuscule. But the sheer volume of internet-connected devices turns that small probability into a statistical certainty, similar to a lottery where enough tickets are in play that someone always wins.

How bit-flips produce valid domains#

Not every bit-flip results in a valid domain character. DNS labels are limited to a-z, 0-9, and hyphens, so only flips that land within that range produce a registrable string. The domain cnn.com, for instance, can become con.com when a single bit in the letter n flips to produce o.

Longer domains yield more variants. The original research enumerated single-bit permutations for eight targets (including microsoft.com, amazon.com, akamai.net, and fbcdn.net) and identified 32 registrable bitsquat domains across them. The choice of targets was deliberate: content-delivery and advertising domains are resolved far more frequently than domains that users type manually, and requests to them are almost certainly not typos.

Experimental evidence#

The original proof of concept#

For the original experiment, Dinaburg registered 32 bitsquat domains for eight frequently resolved targets and logged traffic from September 2010 through May 2011. The results confirmed that bitsquatting works at internet scale:

• 52,317 HTTP requests arrived from 12,949 unique IP addresses over approximately seven months.
• Excluding three anomalous bursts, an average of 59 unique IPs per day made requests to the 32 domains.
• The traffic consisted of requests for JavaScript files, software installers, and ad-network resources, not manually typed URLs.

Several findings stood out:

1. Amplification through infrastructure. A bit-flip on a single device affects only that device, but a bit-flip in a proxy server, DNS resolver, or application cache can redirect thousands of users at once. One observed error that changed fbcdn.net to fbbdn.net routed more than a thousand Farmville players to the researcher's server.
2. Mobile and embedded overrepresentation. Phones, game consoles, and other embedded devices were disproportionately represented in bitsquat traffic compared to general web traffic at the time. These devices typically lack error-correcting memory.
3. Errors occur before DNS resolution. In 96% of observed requests, the bit-flip had already happened in device memory before the DNS query was sent. This means transport-layer security (TLS) and DNSSEC offer little protection; they secure data in transit, not data sitting in RAM.

Verisign later investigated whether network-level errors in DNS packets contributed to bitsquat traffic. Their conclusion reinforced the original finding: corruption during network transmission is rare and caught by existing checksums, but errors that occur before the query leaves a device's memory are not.

Revisiting the technique with windows.com#

A decade later, an independent researcher known as Remy mapped 32 valid domains that were one bit-flip away from windows.com and found that 14 remained unregistered. He purchased all 14 for approximately $126 and set up wildcard DNS entries to capture traffic to any subdomain.

Over just two weeks, his server received 199,180 connections from 626 unique IP addresses attempting to reach ntp.windows.com, the time-sync endpoint that Windows devices contact automatically each week. The time-sync client performs no authentication, so a bitsquat operator could, in theory, feed incorrect time values to connecting machines.

The experiment highlighted something the original research did not emphasize: bitsquatting affects background operating-system services, not just browser traffic. Time sync, telemetry, and update checks all resolve domain names automatically, and each lookup is a potential target for bit-flip corruption.

Espionage applications#

At the 2019 Kaspersky Security Analysts Summit, researchers from Bishop Fox presented findings under the title "Ghost in the Browser". They registered hundreds of bitsquat variants for high-value targets including skype.com and symantec.com and demonstrated how bitsquatting could serve as an espionage vector. Because bitsquat traffic arrives involuntarily, intercepted connections can be exploited to inject malicious JavaScript, harvest credentials via Single Sign-On flows, or redirect software update requests, all without the target taking any suspicious action.

Scale and permutation count#

Bitsquatting produces a small, deterministic set of candidate domains compared to other typosquatting permutation methods. Each character in a domain label has 7 meaningful bits (the high bit is always 0 in ASCII), giving 7 single-bit variants per character. A 10-character domain has roughly 70 raw variants, but only a fraction map to characters in the valid DNS label set (a-z, 0-9, hyphen). In practice, a typical domain yields between 20 and 40 registrable bitsquat permutations.

Traffic volume to any single bitsquat domain is low relative to a popular typosquat. Bit-flips are rare per device, but they occur at measurable rates across billions of devices worldwide. The involuntary nature of the traffic makes bitsquatting harder to attribute and harder for end users to report, since the affected user has no awareness that anything went wrong.

Why common defenses fall short#

ECC memory (Error-Correcting Code) detects and corrects single-bit errors, effectively neutralizing the local bit-flip risk. However, ECC is uncommon in consumer laptops, phones, routers, and embedded devices. Even when a server runs ECC hardware, the DNS query may originate from a client device that does not.

TLS/HTTPS protects data in transit between two endpoints. It does not protect against corruption of data at rest in memory before a connection is established. If a domain name flips in RAM and the device resolves the bitsquat domain, the TLS handshake completes normally with the attacker's server (assuming the attacker has obtained a certificate for the bitsquat domain).

DNSSEC signs DNS responses to prevent tampering during resolution, but it operates on the assumption that the query itself is correct. A bit-flip that corrupts the domain before the query is sent results in a valid, correctly signed response for the wrong domain.

Detection and monitoring#

Bitsquat domains can be enumerated deterministically: generate all single-bit ASCII permutations of each character in a domain label and filter for valid DNS characters. The resulting set is small enough to monitor comprehensively.

Useful monitoring signals include:

• WHOIS and RDAP registration data. New registrations matching known bitsquat permutations indicate potential abuse.
• Zone file monitoring. Passive observation of TLD zone files surfaces registrations before any traffic is served.
• Certificate Transparency logs. A bitsquat domain that obtains a TLS certificate is likely preparing to serve HTTPS content or intercept encrypted connections.
• Passive DNS data. Resolution activity for bitsquat domains can reveal whether they are actively receiving traffic.

Because the permutation space is small and predictable, defensive registration of high-risk bitsquat variants is more practical than for most typosquatting categories, where the variant count is much larger. Remy's windows.com experiment demonstrated that even a major platform can leave bitsquat domains unregistered; 14 of 32 variants for one of the most commonly resolved domains on the internet were available for $126.

Have I Been Squatted includes bitsquat permutations in its monitoring set alongside omission, transposition, and other lookalike domain categories. Because the permutation count is bounded and deterministic, these variants can be generated for any monitored domain and checked against registration and certificate data automatically.