Bitsquatting Is Alive and Well

| January 24, 2014

bitsquatting-screenshotReading the recently released Cisco Annual Security Report, I paused on page 50 where the author talks about bitsquatting.  It seems this topic continues to ruminate in cybersecurity circles, recalling this paper from Black Hat in 2011.  So we spent a few hours yesterday poking around to examine some registration patterns related to bitsquatting.

A bit, or binary unit, is how computers communicate. Computers aren’t perfect, and bit data can get corrupted within systems or across communications.  Which means it can get corrupted in DNS resolution.  One bit error in the communication of a DNS request and the response will come back different.  Every letter of the alphabet can get corrupted in up to 8 possible ways, one each for each bit in a letter.  Not all of the resulting bit series to which these translate will be alphanumeric, but some are.  For example, the letter “t” can error to the number 4.  And a “.” (dot) can error to the letter n.

What does this mean?  It means that in very rare cases, someone that types in the domain name will end up requesting due to bit corruption.  And so on.  And as that 2011 paper notes, by aggregating a lot of bitsquatted domains on some very popular website names, one can accumulate a material amount of error traffic.

In the screenshot above we ran the domain against our bit-toggling tool and indeed nearly all the alphanumeric permutations are already registered, including  The same is true for most of the top Alexa sites.

Obviously, there is some overlap between what might be a bitsquat domain and what might be a fat-finger keyboard proximity typo (nota bene:  DomainTools has a typo tool as well here).  If you want a clear example of bitsquatting, look for any domain that starts with wwwn, because as I noted above the dot corrupts to the letter n.  So a bitsquat of is  That domain is registered, but not by Google.

At some point we’ll put our bit-toggle analysis tool up in our LABS area (reminder, Pro and Enterprise customers can request access to the research tools in LABS that are not publicly available).  While not nearly the problem that more overt types of DNS-based trademark abuse is, clients interested in protecting their brand online might want to keep this variant in mind.  We’ve done some additional analyses of some very high traffic hostnames and the results are pretty interesting.  More on that in another blog post.



Category: Bitsquatting, Domain Typo Generator, Domainers, security

About the Author ()

Tim Chen has been the CEO of DomainTools since its 2009 spin-out into an independent company. Tim has over 15 years experience as a sales and operations executive in internet-driven businesses, including 8 in the domain name and DNS space. Prior to this Tim spent seven years in business development executive roles with Internet and software companies in the Bay Area, and four years in the Corporate Finance group at J.P. Morgan in New York. Originally from Rochester, New York, Tim is a graduate of Haverford College and Stanford business school. When not in the office you can usually find Tim on his bike, on his surfboard (or falling off it), or sequestered away reading entirely too much about the Buffalo Bills' draft prospects.

Comments are closed.