Bit-squatting: DNS Hijacking Without Exploitation

Video thumbnail (Frame 0) Video thumbnail (Frame 1565) Video thumbnail (Frame 2640) Video thumbnail (Frame 3689) Video thumbnail (Frame 5704) Video thumbnail (Frame 6812) Video thumbnail (Frame 7998) Video thumbnail (Frame 10659) Video thumbnail (Frame 12121) Video thumbnail (Frame 13229) Video thumbnail (Frame 14787) Video thumbnail (Frame 15955) Video thumbnail (Frame 17179) Video thumbnail (Frame 18075) Video thumbnail (Frame 19074) Video thumbnail (Frame 20586) Video thumbnail (Frame 22613) Video thumbnail (Frame 23737) Video thumbnail (Frame 24802) Video thumbnail (Frame 25873) Video thumbnail (Frame 27583) Video thumbnail (Frame 29236) Video thumbnail (Frame 30918) Video thumbnail (Frame 32286) Video thumbnail (Frame 33320) Video thumbnail (Frame 35447) Video thumbnail (Frame 36834) Video thumbnail (Frame 38058) Video thumbnail (Frame 39303) Video thumbnail (Frame 40219) Video thumbnail (Frame 42324) Video thumbnail (Frame 44373) Video thumbnail (Frame 46987) Video thumbnail (Frame 48549) Video thumbnail (Frame 49515) Video thumbnail (Frame 50391) Video thumbnail (Frame 51278) Video thumbnail (Frame 52319) Video thumbnail (Frame 53402) Video thumbnail (Frame 55065) Video thumbnail (Frame 56305) Video thumbnail (Frame 61215) Video thumbnail (Frame 63210) Video thumbnail (Frame 64700) Video thumbnail (Frame 66220)
Video in TIB AV-Portal: Bit-squatting: DNS Hijacking Without Exploitation

Formal Metadata

Title
Bit-squatting: DNS Hijacking Without Exploitation
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
Artem Dinaburg - Bit-squatting: DNS Hijacking Without Exploitation https://www.defcon.org/images/defcon-19/dc-19-presentations/Dinaburg/DEFCON-19-Dinaburg-Bit-Squatting.pdf We are generally accustomed to assuming that computer hardware will work as described, barring deliberate sabotage. This assumption is mistaken. Poor manufacturing, errant radiation, and heat can cause malfunction. Commonly, such malfunction DRAM chips manifest as flipped bits. Security researchers have known about the danger of such bit flips but these attacks have not been very practical. Thanks to ever-higher DRAM densities and the use of computing devices outdoors and in high-heat environments, that has changed. This presentation will show that far from being a theoretical nuisance, bit flips pose a real attack vector. First the presentation will describe bit-squatting, an attack akin to typo-squatting, where an attacker controls domains one bit away from a commonly queried domain (e.g. mic2osoft.com vs. microsoft.com). To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates. The presentation will show an analysis of 6 months of real DNS and HTTP traffic to bit-squatted domains. The traffic will be shown in terms of affected platform, domain queried, and HTTP resources requested. Using this data the presentation will also attempt to ascertain the cause of the bit-flip, such as corruption on the wire, in requestor RAM, or in the RAM of a third party. The presentation will conclude with potential mitigations of bit-squatting and other bit-flip attacks, including both hardware and software solutions. By the end I hope to convince the audience that bit-squatting, and other attacks enabled by bit-flip errors are practical and serious, and should be addressed by software and hardware vendors. Artem Dinaburg currently works as a security researcher at Raytheon, investigating a broad range of security related topics. Prior to joining Raytheon, Artem worked as a security researcher building automated malware analysis systems, investigating web-based exploit kits, and identifying botnet command-and-control domains. While a graduate student at Georgia Tech he created hypervisor-based dynamic malware analysis platforms under Dr. Wenke Lee.

Related Material

Video is accompanying material for the following resource
Domain name Slide rule System call Bit Trigonometric functions Web 2.0 Facebook Medical imaging Graphical user interface Website Convex hull Maize Information security Window Vulnerability (computing)
Domain name Direct numerical simulation Mathematics Constraint (mathematics) Computer hardware Bit Public domain Computing platform Physical system
Domain name Type theory Goodness of fit Search engine (computing) Plastikkarte Bit Image registration Freeware
Domain name Slide rule Graph (mathematics) Scaling (geometry) Uniqueness quantification Bit Public domain Number Type theory Direct numerical simulation Mathematics Query language Blog Computational fluid dynamics Computer hardware Website Right angle
Context awareness Multiplication sign Bit error rate Computer Bit Mortality rate Event horizon Computer programming Software bug Arithmetic mean Error message Logic Computer hardware Computer hardware Computational fluid dynamics Representation (politics) Error message Buffer overflow
Domain name Bit error rate Electronic mailing list Data storage device Bit Web browser Login Mathematics Semiconductor memory Network topology Computational fluid dynamics Data structure Metropolitan area network
Execution unit Intel Randomization Digital electronics Intel Bit error rate Multiplication sign Computer-generated imagery Tube (container) Virtual machine Dynamic random-access memory Surface of revolution Cartesian coordinate system Computer Product (business) Process (computing) Software Whiteboard Chain Right angle Series (mathematics) Whiteboard
Slide rule Server (computing) Perfect group Multiplication sign Special unitary group Fehlererkennung Cartesian coordinate system Cache (computing) Crash (computing) Semiconductor memory Computer configuration Computer hardware Operating system Software testing
Randomization Key (cryptography) Computer hardware Bit error rate Connectivity (graph theory) Computer hardware Software testing Escape character Information security
Satellite Slide rule Randomization Code Java applet Information privacy Escape character Semiconductor memory Operator (mathematics) Core dump Programmable read-only memory Encryption Bus (computing) Information security Copyright infringement Key (cryptography) Bit error rate Content (media) Plastikkarte Bit Set-top box Befehlsprozessor Universe (mathematics) Right angle Escape character Game theory Object (grammar) Information security Resultant
Laptop Graph (mathematics) Touchscreen Copyright infringement Bit error rate Plastikkarte Sound effect Physicalism Parity (mathematics) Number Category of being Error message Causality Read-only memory Thermal conductivity
Operations research Curve Slide rule Group action Bit error rate Cellular automaton Sound effect Maxima and minima Mereology Computer Power (physics) Degree (graph theory) Optical disc drive Goodness of fit Error message Causality Operator (mathematics) Computational fluid dynamics output Backup
Quantum state Observational study Bit error rate Connectivity (graph theory) Electronic mailing list 1 (number) Special unitary group Dynamic random-access memory Computer Error message Causality Different (Kate Ryan album) Motherboard Personal digital assistant Internetworking Thermal radiation Speech synthesis Website
Web page Distribution (mathematics) Electric generator Graph (mathematics) Observational study Observational error Moment (mathematics) Software developer Bit error rate Web page Source code Volume (thermodynamics) Bit Number Cache (computing) Causality Semiconductor memory Triangle Energy level Circle Institut für Didaktik der Mathematik Flux
Server (computing) Information Observational study Bit error rate Connectivity (graph theory) Source code 1 (number) Dynamic random-access memory Code Digital rights management Data management Population density Semiconductor memory Single-precision floating-point format Computer hardware Extension (kinesiology) Error message Sinc function Form (programming)
Email Slide rule Server (computing) Observational study Maxima and minima Dynamic random-access memory Perspective (visual) Host Identity Protocol Number Bit rate Causality Semiconductor memory Term (mathematics) Operator (mathematics) Software testing Error message Associative property Social class Scale (map) Enterprise architecture Scaling (geometry) Bit error rate Menu (computing) Computer RAID Digital rights management Googol Hard disk drive Data center Software testing Curve fitting
Slide rule Server (computing) Observational study Bit error rate Computer Sound effect Range (statistics) Dynamic random-access memory Dynamic random-access memory Digital rights management Error message Personal digital assistant Internetworking Error message
Domain name Content delivery network Domain name Validity (statistics) Multiplication sign 1 (number) Electronic mailing list Dynamic random-access memory Bit Mereology Type theory Mathematics Estimation String (computer science) Representation (politics) Website Error message
Domain name Domain name Direct numerical simulation Server (computing) Bit Computer Row (database)
Domain name Direct numerical simulation Type theory Dependent and independent variables Personal digital assistant Computational fluid dynamics Bit Row (database) Connected space
Noise (electronics) Pairwise comparison Slide rule Uniqueness quantification Virtual machine Bell and Howell Volume (thermodynamics) Streaming media Raw image format Cartesian coordinate system Event horizon IP address Connected space Frequency Loop (music) Internet forum Internetworking Uniqueness quantification Volume Arithmetic progression
Content delivery network Facebook Uniform resource locator Mathematics Server (computing) Causality Computer file Ad serving Profil (magazine) Weight Diagram Bit
Facebook Game controller Server (computing) Causality Bit Event horizon IP address Automatic differentiation
Axiom of choice Weight Forcing (mathematics) Bit error rate Bit Ultraviolet photoelectron spectroscopy Event horizon IP address Error message Automatic differentiation Form (programming)
Direct numerical simulation Server (computing) Randomization In-System-Programmierung Personal digital assistant Bit error rate Weight Event horizon Resolvent formalism
Domain name Direct numerical simulation Cache (computing) Server (computing) In-System-Programmierung Process (computing) Weight Website Recursion IP address Local ring
Graph (mathematics) Outlier Outlier Volume (thermodynamics) Public domain Line (geometry) IP address Causality Average Internetworking Computational fluid dynamics Uniqueness quantification Energy level Quicksort Volume Error message Physical system
Android (robot) Server (computing) State of matter Virtual machine Public domain Dreizehn Web browser Field (computer science) Number Direct numerical simulation Different (Kate Ryan album) Internetworking Operating system Cuboid Computing platform Mobile Web Email Graph (mathematics) Android (robot) Shared memory Bit Computer Statistics Personal digital assistant Logic Website Game theory Window Resultant
Domain name Outlier Bit error rate Image resolution Electronic mailing list Content (media) Public domain Bit Public domain Content (media) Bookmark (World Wide Web) Facebook Direct numerical simulation Error message Direct numerical simulation Uniqueness quantification Maize
Domain name Direct numerical simulation Server (computing) Email In-System-Programmierung Personal digital assistant Bit error rate Weight Login Communications protocol
Domain name Direct numerical simulation Email Bit error rate Weight Image resolution Connected space
Domain name Facebook Type theory Server (computing) Mathematics Email Semiconductor memory Bit error rate Weight Content (media) Bit Extension (kinesiology)
Domain name Email Email Parsing INTEGRAL Bit error rate Multiplication sign Content (media) Public domain Bit Public domain Computer Host Identity Protocol Facebook Direct numerical simulation Semiconductor memory Chain Error message Information security
Server (computing) Weight Real number Multiplication sign Mobile Web 1 (number) Virtual machine Public domain Automatic differentiation Number Facebook Crash (computing) Befehlsprozessor Core dump Information Maize Series (mathematics) Traffic reporting 9K33 Osa Domain name Suite (music) Real number Bit error rate Android (robot) Electronic mailing list Content (media) Bit Disk read-and-write head Electronic signature Software development kit Process (computing) Facebook Crash (computing) Chain Video game HTTP cookie Window Tunis
Laptop Domain name Game controller Bit error rate Multiplication sign Keyboard shortcut Public domain Bit Computer Vector potential Number Semiconductor memory Single-precision floating-point format
Web page Domain name Mobile app INTEGRAL Code Electronic program guide Similarity (geometry) Public domain Rule of inference Element (mathematics) Formal language Direct numerical simulation Semiconductor memory Program slicing Internationalization and localization Error message Mobile Web Domain name DNS <Internet> Bit error rate Physical law Content (media) Bit Mathematics Befehlsprozessor Software Query language Form (programming)
Domain name Scripting language Slide rule Presentation of a group File format Computer-generated imagery Bit Staff (military) Staff (military) Entire function Direct numerical simulation Office suite System identification
ah my name is Artem Dinah Berg I work as a security researcher for Raytheon Company and i'm here to talk to you about a vulnerability i discovered called bit squatting so in these slides
i always like to start off with the problem and the problem is that you may be compromised even when you're following the very best web security practices so let's go into a little more detail let's pretend your users
somewhere around the world and you're browsing facebook when you're browsing facebook a lot of things get loaded in the background such as images JavaScript and CSS and sometimes they're not actually loaded from facebook they're loaded from a domain that's one bit away from Facebook and Facebook isn't the only site that's vulnerable technically any site is vulnerable and the more popular website is the more vulnerable it is but some of you may be out there thinking hey i'm running windows 7 and you know latest chrome so this problem isn't something i should be bothered by but you're probably wrong this slide has
actual platforms that have requested resources from me instead of from the domain they originally were going to the problem is actually platform operating system and hardware agnostic you may be thinking hey this is a pretty interesting so it must need you know a lot of skills but you'd be wrong it's
actually extremely easy to perform bit squatting all you need to do is one have knowledge of some simple math to be able to register domains and three properly answer DNS for them but there's got to be you know some resource constraint like you know maybe you need lots of money but actually it's extremely cheap
like as I said the only real requirements are domain registration and hosting and the cost of registering and calm these days is about eight dollars once again the attack is called bit
squatting and it's called bit squatting because it's like type of squatting but for bids so I'm assuming we're all familiar with type of squatting but if
not here's a good example let's say you want to Google which is a popular search engine but you type an extra g and you go to goggle where you can win walmart gift cards free ipads but sorry they're out of macbook airs and this is not what I'm
talking about bit squatting requires absolutely no typing and the reason is that while humans do a lot of typing and they make a lot of mistakes computers make a lot more DNS queries so the graph
of the slide is actually to scale if you look at that top right corner you see a little guy circled in red that's the proportion of DNS requests that humans make to the proportion of DNS requests that computers make a little bit about how it got these numbers the 1,500 comes from doing some math on the opendns blog in blog post dated this March they said that they had 30 billion unique DNS queries per day if you go to their website it says that they have 20 million users doing some simple mathematical eads to 1,500 DNS queries per user another website visual economics calm calculated that people go to 89 different domains a month prorated to per day that's three so while bit squatters are going after the three domains that you type in typos bit squad and goes after the 1497 that you don't and how can you take advantage of these 1004 97 domain lookups computer hardware
errors just to clarify i'm not talking about things like bad programming buffer overflows or logic bugs I'm talking about errors in the hardware that cause even perfectly written programs to misbehave and the thing is computers are devices made by mere mortals and they have things like tolerances and mean times to failure one of the potential failures that can arise is called a bit
air and in literature these are sometimes referred to as single upset events and this means that the electrical representation of a one gets transformed into a zero or the electrical representation of a zero gets transformed into a one and it's really important to notice that these bit errors happen in context it
they don't happen in a void whenever a bit changes from 1 to 0 or a 0 to a 1 it happens in your let's say you're linked lists your trees other data structures maybe your login credentials or maybe it happens in some cash HTML that happens to have a domain name and maybe your browser will then look up the domain and fetch some JavaScript from it so now that you've talked about bit errors let's go through an introduction I don't
know if you all can tell what this man is doing but he's actually working on the ENIAC and what he's doing is he is replacing a vacuum tube the ENIAC was made before modern transistor technology and it's used vacuum tubes for memory storage and computation and these vacuum tubes failed and they failed a lot
whenever one of these tubes would fail the machine would either give incorrect answers or it would stop working at all these were the first examples of bit errors and they've been with us for a very long time but you know we don't use vacuum tubes these days we moved on to transistors and then integrated circuits and they're much more reliable and we should have never encountered any problems with ICS and random failure right guys well not quite this is a
brand board from the mits altair 8800 the mits altair is actually a very famous computer it assured the mini computer revolution Microsoft's first product was Altair basic it helped launch the company but we're not here to discuss that what we're focused on is those uh purple chips at the top of the saran board those are Intel 2107 series DRAM chips and in 1978 two engineers from intel maine woods discovered that these chips were catastrophic Lee failing the problem was traced back through the supply chain and eventually they found out that what had happened is that Intel had built the chip fab downstream from an old uranium mine and during fabrication these chips would be contaminated with radioactive alpha emitters so then when this chip was running software possibly mits altair basic an alpha particle would get emitted it had shipped some 12 zeros and you're perfectly running application would crash they published a paper on this and the semiconductor industry took note they took this very seriously and they refine manufacturing processes and this has certainly never happened again right everyone fast forward to a 2008 this is
the starry night 2008 2001 this is a Sun ultrasparc to the one in the slide is from 1997 but that's not what we're focused on in 2001 a lot of very expensive Sun server started randomly failing and this server would be running the undeterred crash she would reboot it you would do a full self test that would say it's perfect and then later randomly die again and naturally there are a lot of angry customers and son started to check what the problem was and it turned out it was radioactive contamination of their l1 and l2 cache to make things worse the l1 and l2 cache and the ultra sparks had no error detection so the only time in realize something was wrong is when your mission-critical applications went down but this had to be the last of it there wouldn't really be something required you know no operating system ships something to test hardware with its installation do they
this is an ubuntu installation it's a direct screenshot one of the options is test memory why would you ever want to test memory because a lot of the times
your test will fail and this was only for the only people who would actually know that it failed as the people who decided to run that test think about how many people are running with bad hardware components who don't even know it and these bit errors have security
implications and these security implications range a lot further than just random data corruption in fact they range from things like sandbox escapes to extracting encryption keys out of proprietary devices so up first is a JVM
sandbox escape in 2003 sudha car and a polo of princeton university published an extremely interesting paper in a I Tripoli security and privacy they had found a way to use random bit errors to escape out of the Java JVM sandbox what they would do is they would fill memory with to java objects and references to those objects and when a bit error would occur it would change one of the references to point from one object to the other once you had two differently typed references to the same object you could then establish a right where primitive and once you write executable code to anywhere in memory it was game over to test their experiment they couldn't exactly wait for a bit err to happen so they devised the apparatus to see in the slide that is a heat heat lamp attached and pointing at the RAM and it would heat the RAM to above its critical operating temperature to where random bit errors that happen they were able to verify their results experimentally next
security implication is a smart card piracy there's actually an ongoing war between cable TV set-top box manufacturers and smart card pirates satellite signals are broadcast throughout and they're encrypted and the way you view satellite TV is if you have the decryption key in a smart card well pirates want to be able to decrypt those signals as well and sell knockoffs smart cards one of the ways in which they get to the encryption key in this market is they will attach the smart card bus and then they will induce a bit air in the smart card CPU usually via direct electrical probing to redirect execution to a pirate code which will then proceed to dump prom contents before it has a chance to lock itself now there's other
causes of bit errors besides probing by smart card pirates and heat lamps and I'm going to get into four of them so cause number one is heat it is a
physical fact that heat effect properties of electrical devices such as conductivity and resistivity now this isn't too much of a problem in desktops and maybe even laptops because they're well cool then they're normally operated indoors but when it comes to mobile devices he can be a serious issue this is what
happens when your iPhone gets too hot and eventually tells you but did you ever wonder what happens maybe before the screen is a chance to come up in devices that don't have one or even under what temperature comes on anyway so I've got a handy graph here for you
guys this is the iphone operating temperature as taken from the apple website plotted against two climates in North America one here in Las Vegas and one in Montreal Canada right now since it's August we are at the top of that blue curve if you notice it's well above the maximum iPhone operating temperature of 95 degrees if you use your iPhone outside today congratulations you've been violating its operating requirements so next cause of bit errors
electrical problems this slide is actually very apt when I found the picture the caption for it was that this is the backup power supply for a group of computers in rural India we are all accustomed to always on very good AC power in the Western world but this isn't true for a lot of parts sometimes your power is extremely unreliable intermittent or both and sometimes your backups or car batteries why not you have extremely unreliable input voltage odds are that extremely unreliable effects may propagate through your electronics sometimes though it's the electronic some cells that are faulty
picture here is a pyre capacitor there's actually entire websites on the internet dedicated to identifying a faulty capacitors and common motherboards their list is a lot higher than you would think so whenever the big components out to the lowest bidder sometimes they get exactly what they pay for capacitors also aren't the only electronic components that are pirated there's knockoffs of all kinds of things sold on the black market and sometimes to a skimp a buck or maybe pocket the difference people making your electronics might not use the best ones even if they do use the very best components as we saw earlier in the case of the Intel drams and the Sun ultrasparc sometimes you may just be radioactive contamination somewhere during manufacturing and speaking of radiation that brings us back to the last but certainly not least cause of bit errors and that is cosmic rays ah
yes I'm serious and I specifically mean the intergalactic kind not the solar kind from all the research I've been able to do the solar kind are generally not energetic enough to penetrate the upper atmosphere but the intergalactic one certainly are potentially a far from being a remote nuisance there are some studies that indicate that cosmic rays
are actually the number one source of bit errors at ground level this is a graph taken directly from the IBM journal of research and development volume 40 number one page thirteen for those who are interested and what it's plotting here is altitude versus cosmic ray flux which go hand in hand as the higher up you go the more cosmic rays there are since there is less atmosphere and if you notice these circles and the triangles those are actual experimentally observed errors in cache and main memory if you notice they align exactly with the prediction for the cosmic ray flux now this IDM study ran from nineteen seventy eight to nineteen ninety four so it's entirely possible newer generations of RAM are differently affected but cosmic rays is definitely something you want to consider so what's
the distribution of various causes of bit errors that I see in the wild honestly I don't really know I can't go halfway around the world and see what was wrong with somebody's iPhone and it's entirely possible to cause I didn't consider what is interesting to know is that these bit errors do happen and the real we have mentioned dear em for a bit
and I'm going to go into a little more in-depth discussion about drm DRM is a this source of really great information density for bit errors to happen it's hard to cool the components are always cheap and it happens to be where the previous majority of bit error studies have focused so I'll start off with some really good news and the good news is
that all errors in DRAM can be fixed by use of what is called ECC or error correcting codes and ECC can detect and fix all single bit errors there's actually forms of ECC that will detect all one two three and four bit errors but ECC only works if you actually use it a lot of you are in the audience probably manage extensive server farms and those typically have ECC memory since hardware manufacturers know that bit errors do happen and especially high end ones but have you thought about all the RAM in your server I'm going to go
with no this is a hard drive pulled from one of these enter pliers class servers with ECC memory that chip they're highlighted in yellow is 128 megavideo m it does not have ECC and this drive is actually a few years old it only has 16 megabytes of cash newer drives have 32 or even 64 megabytes of cash and enterprise servers typically have five to eight of these drives so the data in your enterprise class server may be going through a lot of non ECC memory let's a look at some drm failure rates now that we've established there's probably a little bit of in your server
somewhere this slide summarizes two different studies one from taras on semiconductor and one from Schroeder at the University of Toronto in association with some engineers from google and the first thing you notice is that the scale varies very widely this is also logarithmic scale the lowest error rate is about 50 and the highest air raid is about 100,000 failures and test and a failure and test is about one air in 1,000,000,000 operating hours another interesting thing of note here is if you see the manufacturer one to manufacture six columns those are from the Schroeder study and those were bit error rates measured in actual servers in google data centers one of the conclusions was also that the vast majority of bit errors could be attributed to specific dims counteracting the IBM study and in fact suggesting that maybe manufacturing defects are in fact the number one cause of drm failures but if you don't typically think in one terms of one failure in 1,000,000,000 operating hours so let's put this in a more usable perspective if you go to dell com the
cheapest bc you can buy will have 4 gigabytes of ram assuming the worst case scenario from the previous slide that pc will encounter approximately through bit errors per hour assuming the best case scenario it will encounter approximately three bit errors per month but also it's not great to think of just a single PC what we want to see is the emergent effect of all the drm on the internet and there are several studies that say
that they're approximately five billion devices that are connected to the Internet in 2010 assuming each of these devices has 128 megabytes of RAM and now this assumption isn't really based on scientific fact I felt it was a very fair compromise between the servers that have multiple multiple gigabytes and your phone which may have you know six to twenty you will get approximately 600 petabytes of DRAM that is connected to the Internet and using the lower end error estimates from the previous slide that's approximately 600,000 bit errors
that occur daily in all the world's internet-connected DRAM now how many of those errors actually happen somewhere that is interesting well I set up an
experiment to find out and experiment is in three parts part one register domain
names this list includes actual domain names that are registered they are one bit away from certain very popular domain names by a 1 bit away mean as a you take the domain name then you put it in its ASCII representation you expand it out as a binary string change once two zeros and zeros to ones if it's still a valid domain name when you put it back to ascii you register it and the domain names i picked tended to be those of popular websites and more crucially advertising and content delivery networks and the reason they pick those is because nobody ever types those addresses in but you certainly look them up an extremely large amount of time experiment step two is you have
to properly answer dns and this is actually very important and i'm going to go through this be an example so let's say somebody out there is trying to resolve a domain names registered let's say it's a mi sitio softcom one bit away from microsoft so you're going to get an a record request and of course you'll
answer it but the trick here is that we think that a bit err happened somewhere on that server that asks you for the domain name therefore we will also send
it back a second reply for the original domain we expected it to be and the reason we do this is because if it's expecting a reply for microsoft com it will discard the reply for mfc 20 softcom but silently except the microsoft one if it in did indeed quarry mi sitio softcom it'll accept that reply but discard the microsoft reply in an
overview for every domain for every a DNS request you receive you have to send back two responses and this isn't just a records this is also other types of records such as NS requests assuming your bit squatting but successful next
thing that's going to happen is you will get an HTTP request so you set up an HTTP listener and you log the connection
and in this case I chose to return HTTP 404 not found for every single request I received since I wanted to avoid causing any damage to any of the requesting computers
once again that's you get a request you log the request you send it back a 404 and you close the connection then this is how I set up my experiment and the first thing that really surprised me is that people actually show up this is the
traffic volume of raw HTTP requests for a six-month period from the end of September to the beginning of May as you can see there is a steady background stream of requests punctuated by several extreme spikes the biggest was which was approximately 3500 HTTP requests per day but raw requests isn't necessarily a fair comparison since you know maybe some machines out there get in the loop and you have one guy requesting the same resource over and over again so here instead is a the traffic volume by unique IP address per day some of the peaks disappear but others still remain aside from the steady stream of background noise there's three major events labeled here as a B and C each of these caused by bit squatting and I will get into detail of these in the next few slides so what caused the event a that affected six more than 1600 unique ApS on the internet and that critical application happens to be forum Bell yes
I'm serious other reason this does 1300 IPS is because it could only attribute 1300 of those directly to farmville but the other three hundred are also similar causes so how exactly does this happen well let's diagram this out let's
pretend your user somewhere and you want to go play some farmville then you
request some stuff from Facebook and a bit err happens in either the Facebook or the farm bill servers and profile that a kfb CDN net changes to PB o file that a kfb bdnf I happen to own FB BDN net and this bit air happens to happen in the URL of an ad server and this URL
gets cached and then served up to the 1300 people who keep requesting that resource instead of requesting ads from farmville they're requesting ads from me I could have a send him anything i
wanted but i chose the 404 once again an overview you're doing nothing wrong going to play some farmville a bit err happens somewhere outside of your control in either Facebook or the farm bill servers this bit air gets cached served up to 1300 people and those 1300 people request ads from me instead of from farmville and that's event a and event B was a 456 unique IPS and the cause of that was also farmville the con
the reasoning behind it was actually also pretty much the same except the bit
error here was different you would play farmville bit error changes FB CDN net to FB gdn net once again this bit air gets cached somewhere in the form in the farmville cash gets served up to 130 different people who request ads from me and of course you'll have to send a mad I chose than 40 force but there's no reason somebody malicious couldn't send them some choice JavaScript that's it for event B and event C is actually the most interesting on a wall and I promise it's actually not farmville and it affected 246 unique IPS what's
interesting about event see is that it's an actual case of DNS poisoning caused by random bit errors and I have an after looking through the logs for if the days of event see I notice that all of the requests for those few days were one from the same / 24 and two they were all for the same server and here is approximately what happened so you're
someone in that / 20 for you request your ISP through resolve s02 mdn net a bit error occurs somewhere
in your ISPs recursive domain server instead of requesting s02 md n dot net your request to resolve s0 dot 2 dashed in net which I happen to own if you
recall from before we always send two dns replies one of the replies are going to send back is for s02 mdn net this reply is going to one get cached in the dns server and to get propagated to the original request or who will then request an ad from me instead of from to MTN and i will send them a 404 but of course you can be more creative as a full overview of the entire process you are browsing some website you request an ad your local ice PS dns server cache happens to be empty it cory's instead SEO to dash t and net i own that I answer DNS authoritative lee for it and I say hey piers the IP address for SEO to md n dot net that gets propagated that gets cached propagated to the original requester and now everybody in that / 24 when the requesting s02 mdn net will instead request will instead get my IP instead of the original one until the DNS cache expires so that concludes a the three outlier events and if you look at the traffic without
outliers you see that it's generally just a random trickle of requests but even this you can see by the blue line that there is an average of 59 requests this is a 59 requests with only 32 domains this can easily be linearly scaled up by any sort of organized person next thing I wanted to do after measuring the traffic volume was to see the volume per hour my intuition here
was that there would be more bit errors when it's hotter outside during the day unfortunately it also turns out that most people use their computers during the day so it's impossible for me to separate the causes due to heat from simply more traffic use but it is very interesting that this graph approximately mirrors North American internet traffic and this only includes those the traffic from those IPS that are geo-located to within the United States there's a a steady start of traffic about eight Eastern it goes and levels off at about 2pm and stay steady up until midnight where it rapidly drops off only to resume again the next morning next thing I was curious about is what operating system are all of
these users using so I have their user agent header which conveniently tells me browser and operating system so I decided to compare the Browse the operating system of people visiting my bits clock domains to the people visiting Wikipedia for March of 2011 I'll start off of the commonalities so there's a giant common share of windows boxes which is to be expected windows is the most popular OS then there's about three percent iPhones 1% Linux users and one percent Android now the differences is what's really striking first for some reason only two percent of the visitors to my bit squad domains use apple OSX whereas eight percent of the visitors to Wikipedia do i do not have a conclusive explanation for this my thoughts would think the thing from a potentially better build quality to maybe the aluminum casing being a better cosmic ray shield not really sure and the crucial thing here is that that other field the other field for bit squats is five percent whereas the other field for Wikipedia is two percent so i looked at the user agent of these others and this is all kinds of handheld mobile devices and gaming platforms things I saw where we's PlayStation 3's PS PS Sony Ericsson phones samsung phones and other devices and a lot of these phones also really like telling you what carrier on for some reason not sure of the logic behind that next I wanted to know so where are these people coming from at first i
graph this for all of the visitors but I chose to limiter to microsoft com since some of the sites a bit squatted are disproportionately popular in nited states I figured Microsoft would be a good target since the vast majority of DNS lookups would in fact be from automated Windows machines the results here actually extremely surprising they do not correspond to population they do not correspond the number of internet devices and they do not correspond to number of Internet users I don't have a solid explanation for this my only guess is include potentially that as we saw from before not all bit squats are equal sometimes you win the bit squat lottery and get some server in farmville sometimes you just bits got somebody's iPhone it's entirely possible that just happened to a bit squad more useful places in China and Brazil but this definitely warrants further research to see exactly what the issue is next what
I looked at was which domain are these people looking up and this includes outliers so of course Facebook is by far and away the crowd favorite and followed by bit squats of Microsoft followed by various content delivery and advertising domains if you see their highlighted in yellow is msn.com if you were to look at the list of domains that I bit squatted msn.com wasn't actually on that list so how did msn.com make it into the top 25 most popular domains despite the fact that I didn't fit squad it well I'm going to explain it but first I want to explain the places where bit errors can
happen there's two different places one of these is the ens path and this happens during name resolution and one of these is the content path which occurs before DNS ever has a chance to work we'll start off with the DNS path and this is best
illustrated by example so your request
FB CDN net from your isp a bit errors in
your ISPs DNS server and instead it requests FB BDN net I on FB BDN net I sent to DNS replies one of these is for
the original domain and this the main replied gets propagated back to the original requester then this is crucial the original requester will make an HTTP
request to me I don't know how many of you are familiar with the HTTP 11 protocol but HTTP 11 requires that you use the host header and the host header contains the act of the domain that you are actually you think you're connecting to so in the case of bit errors during DNS I will see a host header of the original domain in May HTTP logs and of course then you can send them whatever
you'd want back once again is an
overview you request FB CDN net a bit error occurs somewhere in the dns resolution path and what ends up being requested is FB BDN net the bad reply gets propagated to the original requester who then makes an HTTP connection and crucially in their host header uses FB CDN net the original domain now on to bit errors in the
content path and the content path is a
the farmville type bit errors so you're somebody browsing something like Facebook a bit error happens somewhere
in the extensive Facebook memory caching infrastructure and let's say it's you know for a JavaScript you're about to pull from it and the domain changes from FB CDN net to FB BDN net then you will connect to my bit squad server and in
your host header you will say FB BDN net because the bit error occurred before you ever looked at the main aim up you were bound to connect to FBB DN net because of the bit error happened in the actual content and now this content didn't actually have to get corrupted somewhere on the server and it could have entirely but and corrupted and let's say the memory of your iPhone afterwards I send them back a reply and
as an overview you're browsing Facebook a bit error happens somewhere in the content either on the cash or maybe somewhere in your memory or maybe one you're parsing HTML and crucially when you make the HTTP request your host header has the bits quad domain and not the original domain so what's the actual breakdown of these that we see a
ninety-six percent of the time and this includes the outlier since they were actually caused a bit errors ninety-six percent of the time the Hostetter that I see is the bit squad host header that means that all of the security research that you've been doing for DNS would not fix it what we need is research on ensuring content integrity the other four percent of the time the error happens along the DNS path and if you look a one percent of the domains aren't the bit squat domain they're not the original domain there in fact the other domain such as a the msn com that we saw earlier and the reason this occurs is because of cname chains this is an
example an actual example that I observed in a cname chain when you want to resolve a domain the domain is actually says hey I'm a canonical name for this other domain and that domain is a canonical name for yet another one and you follow this chain until you find resolve a domain to an IP if a bit error occurs anywhere following the cname chain you will get redirected to a bit squawk domain instead of the original domain and that's how I was able to get requests for Microsoft and the sky for a xen itunes.apple.com despite the fact that i did not bit squat those domains so speaking of other domains it's time for a series of real life examples I apologize if this is really small but
I couldn't think of a way to better convey it so sorry for those of you in the back the very top request is of course for ax that in it that itunes.apple.com and I believe that person is actually trying to activate their iphone I can only assume they were unsuccessful there's a few of these for there's one for AdMob and there's a few for NSN and I want to note that this is not an exhaustive list of the ones they saw I saw quite a bit more of these these are just the ones I chose to include next up is a people browsing Facebook these are people requesting JavaScript's from me while they're logged into and browsing their Facebook sessions doesn't take a lot of thinking to figure out that you can extremely easily steal their Facebook session cookies send them some phishing pages or do other really malicious activity next up is people requesting windows updates some of these are for the initial windows update self updater but if you see that bottom one is somebody is actually requesting and eggsy from my server instead of the windows update server i really hope they verify those signatures next up people browsing their webmail and requesting ads from me while they're logged into their webmail session this is also not an exhaustive list but I hope you'll recognize the dangers of this if you have JavaScript running when you're logged into your webmail session I can potentially steal a webmail credentials that's a not a good thing also the two examples here from live.com I don't want to pick on them I got lots of requests from various webmail sessions these are just the ones that happen to find first and put in next example dr. Watson crash reports so one of the biggest criticisms I got during this entire thing was that hey these things can't possibly be legitimate because you're going to whenever a machine encounters bit errors it's just going to crash and you will it'll die before you ever see anything useful well I'm sure that certainly happens a very large percentage of the time but some of the time the Machine crashes and you can get something useful out of it interestingly enough I don't know if you're familiar with windows air reporting but the server on the other end can actually potentially request a full memory dump from your machine so if this happened to you I could have potentially requested you to send me the contents of your am my favorite is actually that second one it's a Watson report from notepad.exe we all know how unreliable that process is so now that we've seen that these things happen that they're very serious let's talk about some mitigations will start the mitigation number one and that is ECC on
everything if you're in this room and you're in the charge of a bill of materials for the next mobile device the next laptop that's tech stopped the next server please make sure you use ECC memory everywhere that includes things such as your drive and your nick and your nick and maybe your keyboard controller next mitigation pre-register
domains this is actually the easiest you can do since bit squatting effects a very small percentage of all domain lookups if you own a really really popular domain you also have the most money to register potential bit squats of that domain there's actually a quick upper bounding in place on this if you're only looking at single bit errors the most possible bit squats that can exist is six times the amount of letters in your domain that's only for single bit errors though and the great thing about pre-registering is one you can do it right now too it'll all your users even your users running in some really hot climate in really terrible power supplies with a really bad computer and mitigation number three
trust but verify your data as we noticed earlier ninety-six percent of these bit errors occurred during the content path if you're somebody here responsible for building a really large memory caching infrastructure you should check that what you put in your cash is actually what comes out of the cash when somebody requests it please include something like a seer these 32 with every cash element modern CPU is actually have a crc32 instruction so performing this should actually be extremely quick and you're probably going to be bound by network delay anyway another place where you should consider doing this is if you're developing mobile devices or something else that's going to work in high-stress environments please be sure to verify things like the integrity of your outgoing DNS queries uh some room for future research
previously it's only been possible to bit squat second-level domain names but i can has approved generic tlds it be entirely possible for somebody thought or no registered con for conferences and perhaps you would get a nice slice of the traffic for calm I was actually talking somebody in black hat and apparently there's a 300 page guide of rules you have to follow to get one of these things and they try to preclude similarities but still you want to be sure another possible issue is a puny code domains I have not looked into what happens at bit errors and puny code domains for those unfamiliar puny code is how you would you use internationalized characters and domain lookups but it's quite possible that a bit air and app Unicode domain in one language would actually be a domain in the completely different language making the attempted use of trademark laws to get it back extremely difficult I would like to give a special thanks to a few
people notably Robert Edmonds of ISC who first noticed DNS bit Arizona SAE data another person is a polar all who helped me immensely when creating the white paper for this Aaron lemasters for acting as the adversarial researcher the entire Raytheon Roslyn office for their support and helping me but many multiple reviews my other patient and supportive reviewers whom I begged to review my slides in my white paper the DEFCON 19 staff for helping me actually present this to you guys and to everybody who licenses your photography in a Creative Commons format without you this presentation would not have been possible and of course to all of you guys who came to see my talk I greatly appreciate it and finally I'd like to say if you want to equip tool to identify which bit squats of your domain are available you can get a Python script at Dinah Borg thank you you
Feedback