BITSQUATTING

DNSHIJACKINGWITHOUTEXPLOITATION

ARTEMDINABURG
DEFCON19
AboutMe
J
TheProblem
AectedPlaHorms
LowSkill
Cheap
Bitsquatting
LiketyposquaPng,butforbits
TyposquaPng
Thereare
1500dailyDNS
requestsperperson.
Humanstype
3ofthem.
1 0
0 1
01100011 01101110 01101110
01100011 01101111 01101110
01100011011011100110111000101110011000110110111101101101
01100011011011110110111000101110011000110110111101101101
CNN.COM
CON.COM
Heat
CAUSESOFBIT-ERRORS:
iPhoneOperaXngTemperature

0
20
40
60
80
100
120
T
e
m
p
e
r
a
t
u
r
e

(
F
)

LasVegas Montreal iPhone

CAUSESOFBIT-ERRORS:
Electrical
Problems
CAUSESOFBIT-ERRORS:
Defects
CAUSESOFBIT-ERRORS:
CosmicRays
1.0
0.1 -
S 0.01
0.001
-
Cosmic SER
To -
/ ' I
J ' 1
k
Memory , / y) 1
fails \ / ' 1
(scale right) / / 1
^ Chip
radioactivity
(scale left)
1000
100
I
- 10
- 1
- 0.1
1985 1986 1987
Date
10000 -
2 -
4 -
1/4
I
5X lOX
Fail rate -
Cosmic ray flux ^
1/2
M
Z-- Underground:
_ / 7 zero fails in
9 ' five months
Memory SER and LSI chip radioactivity This figure shows a
specific memory module SER from 1985 to 1987. By the end ol
1986 the fail rate was about a factor of five larger than the pre\ lou.s
baseline. By early 1987 the problem was a source of serious
concern, but the cause was unknown. By May 1987, it was clearly
established that the fail rate was isolated to newly manufactured
memories. By measuring chips manufactured weekly over the
previous two years, a historical record of the radioactive
contamination was created. Chip radioactivity was determined to
be negligible before 1986, and then increasing by up to 1000 times
by May 1987. Once the contamination source was identified and
eliminated, no further contamination was found in the
semiconductor factory. All chips started after May 22. 1987, were
found to be clear of any contamination
Shown is a summary of the results for the testing of vanous
memory chips at different altitudes. The solid Une is the prediction
of Ziegler in 1984. The small circles are test results for a 4Kb
SRAM bipolar LSI memory chip, and the triangles are for DRAM
chips. The ordinate shows the altitude of the city for the altitude
experiments, or the shielding for the attenuation experiments. The
abscissa shows the change in fail rate, with unity being sea level.
The SRAM and DRAM results scaled identically with altitude,
with the Leadville fail rate being 13 times the sea-level rate. When
the chips were tested under concrete shielding, the attenuation of
fail rate scaled exponentially with concrete thickness. The final
tests, underground below Kansas City, continued for ten months,
and showed zero fails during this period (figure drawn five months
into the underground experiment). From J. F. Ziegler, H. P.
Muhlfeld, C. J. Montrose, H. W. Curtis, and T. J. O'Gorman, IBM
internal reports, 1989.
Several months passed, with widespread testing of
manufacturing materials and tools, but no radioactive
contamination was discovered. All memory chips in the
manufacturing hnes were spot-screened for radioactivity,
but they were clean. The radioactivity reappeared in the
manufacturing plant in early December 1987, mildly
contaminating several hundred wafers, then disappeared
again. A search of all the materials used in the fabrication
of these chips found no source of the radioactivity. With
further screening, and a lot of luck, a new and unused
bottle of nitric acid was identified by J. Hannah as
radioactive. One surprising aspect of this discovery was
that, of twelve bottles in the single lot of acid, only one
was contaminated. Since all screening of materials
assumed lot-sized homogeneity, this discovery of a single
bad sample in a large lot probably explained why previous
scans of the manufacturing line had been negative. The
unopened bottle of radioactive nitric acid led investigators
back to a supplier's factory, and it was found that the
radioactivity was being injected by a bottle-cleaning
machine for semiconductor-grade acid bottles.'* This bottle
cleaner used radioactive Po^'" material to ionize an air jet
which was used to dislodge electrostatic dust inside the
bottles after washing. The jets were leaking radioactivity
" J. Hannah, IBM internal report, 1987.
' J. F. Ziegler, T. H. Zabel, and J. Hannah, IBM internal report, 1
13
IBM J. RES. DEVELOP. VOL. 40 NO. 1 JANUARY 1996
J. F. ZIEGLER ET AL.
IBMJournalofResearchandDevelopment,vol.40,no.1,page13
Letstalkabout
DRAM
1 10 100 1000 10000 100000
"ultralow"failurerates
160GBitsofDRAM
1Gbit0.25micron
256MBytes
32GbitsofDRAM(CrayYMP-8)
Mfg1,1GBDIMM
Mfg1,2GBDIMM
Mfg1,4GBDIMM
Mfg2,1GBDIMM
Mfg2,2GBDIMM
Mfg3,1GBDIMM
Mfg4,1GBDIMM
Mfg5,2GBDIMM
Mfg6,2GBDIMM
Mfg6,4GBDIMM
MicronEsXmate(256Mbytes)
NiteHawk
some0.13micron
SRAMandDRAM
FailuresinTest(FIT,LogarithmicScale)
DRAMFailureRates
ForaPCwith4GiBofDRAM,
erroresDmatesrangefrom
to
.
600PiB
Experiment:Step1
ikamai.net
aeazon.com
a-azon.com
amazgn.com
microsmft.com
micrgsoft.com
miarosoft.com
iicrosoft.com
microsnft.com
mhcrosoft.com
eicrosoft.com
mic2osoft.com
micro3oft.com
doublechick.net
do5bleclick.net
doubleslick.net

li6e.com
0mdn.net
2-dn.net
2edn.net
2ldn.net
2mfn.net
2mln.net
2odn.net
6mdn.net
fbbdn.net
fbgdn.net
gbcdn.net
fjcdn.net
dbcdn.net
roop-servers.net
gmaml.com

Experiment,Step2
!
"
!"#$%&'()(*+,&($
!-#$%&.()(*+,&($
/01,/12,'3',/44
!-#$%&'()(*+,&($
/01,/12,'3',/44
N
Experiment,Step3
!
"
!"#$%$&##'%()(
&*+,-$./01*+*2,)0*.
&##'%()($343$56#$76859
N
0
200
400
600
800
1000
1200
1400
1600
1800
2
6
-
S
e
p
-
1
0

3
-
O
c
t
-
1
0

1
0
-
O
c
t
-
1
0

1
7
-
O
c
t
-
1
0

2
4
-
O
c
t
-
1
0

3
1
-
O
c
t
-
1
0

7
-
N
o
v
-
1
0

1
4
-
N
o
v
-
1
0

2
1
-
N
o
v
-
1
0

2
8
-
N
o
v
-
1
0

5
-
D
e
c
-
1
0

1
2
-
D
e
c
-
1
0

1
9
-
D
e
c
-
1
0

2
6
-
D
e
c
-
1
0

2
-
J
a
n
-
1
1

9
-
J
a
n
-
1
1

1
6
-
J
a
n
-
1
1

2
3
-
J
a
n
-
1
1

3
0
-
J
a
n
-
1
1

6
-
F
e
b
-
1
1

1
3
-
F
e
b
-
1
1

2
0
-
F
e
b
-
1
1

2
7
-
F
e
b
-
1
1

6
-
M
a
r
-
1
1

1
3
-
M
a
r
-
1
1

2
0
-
M
a
r
-
1
1

2
7
-
M
a
r
-
1
1

3
-
A
p
r
-
1
1

1
0
-
A
p
r
-
1
1

1
7
-
A
p
r
-
1
1

2
4
-
A
p
r
-
1
1

1
-
M
a
y
-
1
1

U
n
i
q
u
e

I
P
s

Date
TracVolume(UniqueIPs)
A
B
C
EventA
lav larmvllle 1
8lL-error:
!!"#$%&'()'#*!+,',&-
2
8equesL Ad from
8lLsquaL server
3
!
4
N
EventB
lav larmvllle 1
8lL-error:
!"#$%&'()*($+!,-(-'.
2
8equesL Ad from
8lLsquaL server
3
!
4
N
EventC
!"#!"#$%&'#'()
$%&'())*)+
!"#!"#$!&'#'()
!+#!"#$%&'#'()
*+,#*,-#$.$#*//
!+#!"#$%&'#'()
*+,#*,-#$.$#*//
,(-.(/&#!0#
!
!
"
#
$
%
&
69.171.163.0/24
N
0
20
40
60
80
100
120
2
6
-
S
e
p
-
1
0

3
-
O
c
t
-
1
0

1
0
-
O
c
t
-
1
0

1
7
-
O
c
t
-
1
0

2
4
-
O
c
t
-
1
0

3
1
-
O
c
t
-
1
0

7
-
N
o
v
-
1
0

1
4
-
N
o
v
-
1
0

2
1
-
N
o
v
-
1
0

2
8
-
N
o
v
-
1
0

5
-
D
e
c
-
1
0

1
2
-
D
e
c
-
1
0

1
9
-
D
e
c
-
1
0

2
6
-
D
e
c
-
1
0

2
-
J
a
n
-
1
1

9
-
J
a
n
-
1
1

1
6
-
J
a
n
-
1
1

2
3
-
J
a
n
-
1
1

3
0
-
J
a
n
-
1
1

6
-
F
e
b
-
1
1

1
3
-
F
e
b
-
1
1

2
0
-
F
e
b
-
1
1

2
7
-
F
e
b
-
1
1

6
-
M
a
r
-
1
1

1
3
-
M
a
r
-
1
1

2
0
-
M
a
r
-
1
1

2
7
-
M
a
r
-
1
1

3
-
A
p
r
-
1
1

1
0
-
A
p
r
-
1
1

1
7
-
A
p
r
-
1
1

2
4
-
A
p
r
-
1
1

1
-
M
a
y
-
1
1

U
n
i
q
u
e

I
P
s

Date
TracVolume,NoOutliers
OSStaXsXcs
89%
2%
3%
<1%
5%
1%
Bitsquats
85%
8%
3%
1%
2%
1%
Wikipedia
Windows Mac iPhone Linux Other Android
BitsquatPopularity
0 500 1000 1500 2000 2500 3000 3500 4000
kbdn.net
gbcdn.net
lcdn.net
mic2osom.com
2mdn.net
doubleslick.net
iicrosom.com
microsmm.com
kcdn.net
msn.com
do5bleclick.net
2-dn.net
amazgn.com
0mdn.net
aeazon.com
a-azon.com
2mln.net
s-msn.com
UniqueIPs
B
i
t
s
q
u
a
t

D
o
m
a
i
n

VisitorsbyCountry
(bitsquatsofMicrosoft.com)
CN
BR
US
GB
IL
IT
DE
RU
IN
JP
FR
TR
UA
EG
CO
CA
PH
KR
TH
PL
LI
MX
ES
TW
PS
WhereBit-errorsHappen
DNS DNS
DB
DNSPath
Content
Path
Bit-errorsontheDNSPath
A? !""#!$%
8lL-error:
A? !!"#!$%
A: !""#!$%
&'(#&()#*+*#&,,
CL1 / P11/1.1
-$./01!""#!$%
!
!
"
#
$
%
&
N
Bit-errorsontheContentPath
8ead Cnn
8lL-error:
<a href="!!!"#!$"#%&/...">
CL1 / P11/1.1
'%()*+#!$"#%&
!
!
"
#
$
N
DomaininHTTPHostHeader
96%
3%
1%
Bitsquat Original Other
MiXgaXons
ECCON
EVERYTHING
MiXgaXons
MiXgaXons
-RonaldReagan
QuesXons?
ImageApribuXon
Slide3:Earth.NASA
Slide4:LogostheirrespecXveowners
Slide5:ChildrensBlocks.FlickrUser:lobo235
Slide6:Dollarbills.FlickrUser:Images_of_Money
Slide10:HAL9000WarnerBrothersPictures
Slide14:HeatLamp.Usingmemoryerrorstoapackavirtualmachineby
GovindavajhalaandAppel,IEEES&P2003
Slide15:DesertSun.FlickrUser:Steve&JemmaCopley
Slide17:BackupPower.DavidRobinson.FlickrUser:dgrobinson
Slide18:FakeCapacitor.FoundonInternet,likelyfromchinauser.cn
Slide19:HomunculusNebula.NASA
Slide21:DRAM.Self
Slide22:SASDrive.Self
Slide24:BSOD.WayneWilliamson.FlickrUser:ka3vo
Slide25:BlueMarble.NASA