 My name is Jason. This talk is on examining the bit squatting attack surface. For those of you who are regular DEF CON attendees, you may remember a talk from a couple of years ago. There was a talk by a man by the name of Ardham Dynaburg. He published a talk on bit squatting and registered several domains which ended up getting traffic and kind of showed that it worked. So if you know what typo squatting is, then you'll be able to understand the concept of bit squatting. It's not a whole lot different. So where typo squatting is registering a domain name that is maybe confusingly similar why somebody might mis-type on a keyboard, bit squatting involves actually registering domain names that are one binary digit different. So if you think about the way domain names are represented in the memory of the computer, most computers use ASCII. And so there's going to be a series of binary digits that represent each character that formed the domain name. And I've got an example here where Twitter.com can flip a bit and become Twitter2.com. So really there's nothing fancy about this tack. It really involves nothing more than registering domain names. But this was a great talk and I was really impressed by it and hats off to Ardham Dinerberg for being the first one to bring it to everyone's attention. This is a view of the ASCII table, at least a lot of the characters that are in the ASCII table and their binary representation. I'm purposely not showing things like the ASCII control characters. Actually ASCII was a specification that was built a long time ago back in the late 50s and early 60s back when we still had printing teletype machines. So several character codes that are in the 7-bit ASCII table are things like line feed control codes and various other control codes like delete. When you had a printing tape and you made an error, the reason why all ones in 7-bit ASCII is the delete characters because they were just print ones all the way across and that would signify we made a mistake and would let them move on in terms of the printing teletype. So there was actually people who argued back during the beginning when they were making the ASCII specification that they shouldn't include lower case characters at all. Other people were arguing that we should have the lower case letters interleaved with the upper case. You might have a big A, a little A, and so on. But this ended up being the final sort of ASCII specification. It got picked up in the early 80s with the advent of personal computers but this is really where we get the landscape which makes bits going possible. And in my previous example, the R in Twitter I've highlighted here, you can actually see that there's several other characters that are part of the table which are different only by one digit. If you were to flip a zero into a one or one into a zero, you could get all of these other things. And so what Artem Dineberg did was you've registered a bunch of domains and proved that he was able to get traffic that was being misdirected his way as a result of memory errors, errors that occur in RAM which are passed into whatever application usually your web browser that's doing the most damage. He did talk about some of the causes. So these are the main causes of bit squatting errors or bit errors in memory. Cosmic rays, you know, they're quite frequently hitting the earth 10,000 per square meter per second. Heat, I think the upper range on the iPhone operating temperature is only 95 degrees. So if you've been carrying your iPhone out around Vegas, you've been exceeding those operational parameters. There's an interesting paper that came out earlier this year about nuclear explosions and using DNS requests and bit errors in the DNS request to actually determine when low-year yield nukes have been exploded. And then finally also defects in manufacturing. So as I started thinking about this, I thought it was a really unique idea. Typically, I'm used to being the one making the mistakes and having all the problems boil down to human errors, missing a semicolon in your program or whatever. This is the type of thing where you've done everything right, but because of an error in the memory, all of a sudden your traffic is going to some other place that you didn't even intend for it to go. And so one of the characters that's particularly fascinating is the letter N, which by a flip of one bit can become the dot. And while that's not one of the necessary characters according to the RFC for DNS names, it does separate the various parts of a DNS name. So if we have an N inside of a domain name that can become a dot, you can do some interesting things, like the domain name Windows Update. If you take that first N and convert it into a dot, you end up with the domain name DozeUpdate.com, similarly with the Symantec Live Update. And so we registered some of these. And these were some of the queries that we were getting from the Internet. Lots of people looking to download Windows Updates, but instead of going to Windows Update, they were going to R domain, DozeUpdate. And again, here's a similar example for the Symantec Live Update. You can see that the N flipping into a dot causes their traffic to be directed to us instead. Because it's bi-directional, you can also have dots that flip into becoming a letter N. So one of the best examples that we registered was the ytimg.com. They use this content delivery network in a lot of their domain names, I mean, in a lot of their web pages to serve content. And what we did was replace the dot that separates the third level subdomain name from the second level, and then registered the entire thing. So we've registered SNytimg.com. Another interesting one was the state of New York. So every state in the United States has a state.something.us. You can basically replace that second dot there from the right with a letter N and see some traffic. So here's an example from YouTube. It actually has a refer from YouTube. And this was going to our SNytimg.com domain. And here's an example. The OMH subdomain is actually a real subdomain at the state of New York. It's the Office of Mental Health. But we were getting lots of different requests from them. So outside of the characters that are within a domain name itself, there's other ways that we found. And part of the inspiration for this idea came from this slide, which was originally published by Artem Dinerberg in his 2011 research. And if you look at this graph, you'll see that the most popular BitSquad domains that he registered all happen to be associated with web applications. And so I started thinking about that a little bit more. And here's the general structure for any URL, an HTTP URL. And you'll notice that there's a scheme, host name, path, and so on. But there's a couple of places, and I'll highlight them here in red, where we have forward slashes. And so if you think about BitSquads in the context which they most likely appear is going to be inside of web links. And there's a relationship between the letter O and the forward slash, where by the flip of one digit, one becomes the other. And so how can we use this? Well, if you've got a domain with the letter O in it in the right place, you can actually attack domains which weren't possible before. So you see, I've got some examples here in the .mil, top level domain. I've also got some examples in .edu. These are protected domains where I wouldn't be able to register a domain ordinarily, but by taking advantage of the nature of the O inside the domain, flipping to a slash, what happens is it ends up cutting off the URL early. And the traffic ends up going to some international or country code level domain. And so we've got several examples here. Here's an example of an edu. This was this first example, ecampus.phenix.edu. And so we registered ecampus.ph. And here was actually a request. Somebody has a smartphone and they've got a icon on their home screen. And whenever they click the home screen, one of the byproducts is refetching the Apple touch icons. And so that's actually what you're seeing here represented in this request, as a request for the Apple touch icons. We got similar stuff from some other domains, but I'm going to leave those examples. Those examples are in the white paper. The, as the by, continuing in the bidirectional nature, not only can you have an O turn into a slash, but you can have slashes turn into the letter O. And why is this important? Well, the browser actually allows or kind of silently fixes errors that might occur as a result of this. So if you can imagine, you've got a domain like slash dot here. But imagine that the second slash from the left turns into a letter O by virtue of a bit error. What happens is the browser sees HDP colon and a single slash and then a domain name and thinks, this must be an error. I really need to take you to this domain O slash dot. So it will actually help redirect you to the wrong place. And here's an example of that. Again, someone fetching their Apple touch icons. They've got a slash dot web links basically stored on their home screen of their phone. I'm seeing a lot of traffic from mobile devices, honestly. Let's see, am I going the right way? Okay, so we've got additional URL delimiters that are possible. So the letter C has a relationship with the pound character. And people that work in URLs will be familiar with the pound character. It basically shows you where you've got an anchor tag. So if you can imagine a full host name with a letter C in it at the right place, when that C turns into an anchor tag, it actually cuts short the domain. And a couple of really interesting examples here, pki.nrc.gov, that's the Nuclear Regulatory Commission. I actually did buy that domain so no one else would be able to. Pki.nr is in Nauru. It took a while for them to register some of these domains by faxing a paper in and stuff like that. So some of these country code registries are a little bit less organized than others, let's say. But some others here we've got at cdc.gov, happens to have a bit squad at emergency.cd, which is the Democratic Republic of Congo, and cuscg.mil and .us, so some interesting examples there. This is an example here basically showing that the browser will happily, and if you see in the location tag it's going to a .us domain name, that's what the browser is basically helpfully correcting for us and sending us to the wrong place. Let's see. This here is, yes, another example. This is an interesting one that the c, even if it has a dot before it, will still work. And if you look at the location bar here you'll see the real location that you would be going to if in fact the c in .cn was to flip into an anchor tag. So these techniques will still work even with errors in the browser. So these are interesting URLs and the domain limiters, but we also took a look at the top level domains. So most of the top level domains don't have bit squads, .com, .net, so on. There are some in .pro and .coop are the exceptions. They actually have an O-based slash sort of bit squat present. But the cctld bit squads have several depending on where you're at. So there's some domains that only have no bit squads in the country code space and some that have several. In fact, the Ivory Coast has 10 different valid country code level bit squads. And so what's sort of possible with this? Well, we've registered a domain name based on the kremlin.ru domain, but instead of .ru we registered .re, which is reunion island. We got this request for a news page, basically, and so I pulled up the corresponding page inside of the kremlin.ru page just to show that, yes, this was a real news page that someone was requesting, but they were coming to kremlin.re instead, which we weren't going to be able to serve that content. I have here another domain that we registered for this test, Europa.eu is the European Parliament. And so we registered Europa.mu, and you can see we're getting a bunch of MX requests here for Europa.mu. These are all valid subdomains at Europa.eu, by the way. Here is some SIP DNS requests from the German federal government. So we registered a couple different domains there, bun.ee, which also happens to be a typo squat as well as a bit squat, but we also registered bun.dm, and we were seeing similar things out of both of those. I think I might have another example. Here are some MX requests. If you were to look up the IP addresses on some of these, you'll note that some of these requests were coming from inside of the government of Germany itself. So what about all the new generic top-level domains that are coming out? What could be possible there? Well, using some of these previous techniques, you could actually register a bit squat, which would allow you to bit squat the entire top-level domain. And I've got a few here. I think one of the most interesting out of this list is .exchange, which is supposed to be used for financial exchanges. So if you were able to register this xj.ge in Georgia, you could potentially receive bit squads for any domain registered under .exchange. There's some other bit squads that are possible in the new generic top-level domains. These are based on the letter O. And you can see I've got several here like .boo.bio and the corresponding country code top-level domain where those bit squads exist. As well as ones based on the letter C. So I'll leave these here as reference. So something more about the CCTLB bit squads. There were some interesting ones, and you would think at a domain named registry like .uk where they only allow protected, you know, it's a fairly protected registrar. You can only register third-level domains at .uk. It's got to be something, you know, .co.uk, .net.uk, and so on. So it turns out that .uk has a one bit error and you become .tk. And so I started looking at what was available at .tk. And there's several of these. Probably the most interesting out of this list is the MOD, which is the Ministry of Defense in the UK. So I could, I didn't register this. I think they've registered it now, so it's not available anymore. But MOD.tk was available for a while and you could have potentially been eavesdropping on the Ministry of Defense. But there's several others, and these all match the corresponding second-level registration at .uk. So you could potentially get quite a lot of traffic there. So just kind of closing up here, you know, this is obviously, there's a lot of domains out there which are possible to bit squat and even in protected registries like .gov and so on. So far the current mitigations were to use ECC memory or buy up all the domains so that no one else could register it. But I think that there's some better ways around that. So one of the ways that we actually saw used in practice, and I don't know that they were necessarily doing this on purpose, was Amazon uses kind of a roving domain sort of defense here. And if you look at the source code from some Amazon pages, you'll notice that they have this domain cloudfront.net. And normally the O in cloudfront would make these perfect bit squat domains based on the letter O flipping to a slash in the countrycode.cl, which is Chile. But what they do is if you look at that third-level hostname, that third-level hostname changes every time they recompile some code there. I don't know exactly why it changes, but it changes about every month. And so if you were to go out and register one of these domain names, you probably wouldn't get much traffic in the month before it changes. So I thought that was an interesting defense. I also noticed that a lot of these bit squatting problems happen as a result of URLs and web applications. And so limiting the amount of times that the URL actually appears can help you. So instead of using absolute links, if you use relative links, then you're not going to be putting the domain name in the link. And web pages are stored in memory basically the exact same way that they're written originally. So that can help you. And also using capital letters, there's less, these are some other, the capital letters don't have the same equivalent bit squats as lowercase. So using capital letters in some cases can help you avoid certain bit squats. But possibly the best mitigation is a response policy zone. So with a response policy zone, you configure your DNS server to look for requests that might be one bit different. And I have an example here of PayPal. If you had an RPC, you might look at a request coming to you for a PayPal and think, that's probably a one bit error. And I'm going to silently return from my DNS resolver and no such domain. Or maybe redirect them to a walled garden. So in that case, you do have to be careful of false positives though. Like this, raypal.com is a real site. So to that end, you definitely have to monitor for false positives when you're using this technique. But configuring this at your DNS resolver basically takes DNS out from the ability of the attackers to be able to register the domains in the first place or de-incentivizes that. And to that extent, we do have a RPC generation script. So if you have a list of fully qualified domain names, you want to turn into an RPC and deploy on your resolver. We're releasing a Perl script to help you do that. It's also going to be available on the Cisco blog page. I've got a blog page that's coming out just in a little bit here in about 10 minutes. And you'll be able to download the code from there as well. So I hope that you found some of these new BitSquadding attacks interesting. And I really hope that people are going to go out and try to do something as far as fixing up the resolvers and making this problem go away. Because if more people did that, then BitSquadding wouldn't really be an issue at all. So thank you.