Skip to main content
Home › Learn › Lookalike Domains

What is Bitsquatting?

Bitsquatting is an attack that exploits random hardware memory errors (bit-flips) to redirect users to malicious domains, without any action from the victim.

On this page

  1. What is bitsquatting?
  2. Why it matters
  3. How bitsquatting works
  4. Bit-flip examples
  5. How often bit-flips happen
  6. How to protect yourself

What is bitsquatting?

Bitsquatting is a domain squatting attack first documented by researcher Artem Dinaburg at BlackHat 2011. Unlike typosquatting, which relies on human typing errors, bitsquatting exploits random single-bit errors in computer memory.

When a domain name is stored in RAM, a cosmic ray, electrical interference, or faulty hardware can flip a single bit, changing one character in the domain to a different one. If an attacker has registered that bit-flipped domain, the user's request goes to the attacker's server instead.

💡
No user interaction needed: Unlike every other lookalike attack, bitsquatting requires no mistake from the user. The user types the correct URL, but a hardware error silently changes it before the DNS lookup occurs.

Why it matters

🎲

Completely random victims

Bitsquatting affects random users worldwide. It cannot be prevented through user education because the user did nothing wrong.

📊

Scales with traffic

The more traffic a domain receives, the more likely bit-flips will redirect some requests. High-traffic domains like google.com or facebook.com are especially vulnerable.

🔇

Silent and undetectable

Victims have no way of knowing a bit-flip occurred. The misdirected request looks like a normal DNS query from the network's perspective.

📡

Affects all devices

Any device with RAM is susceptible, including phones, IoT devices, routers, and servers. Devices without ECC memory are especially vulnerable.

How bitsquatting works

The attack exploits a fundamental property of how computers store data in memory:

1

Domain is stored in memory

When a user visits a website, the domain name is stored in RAM as a sequence of ASCII character codes (binary numbers).

2

A bit flips in RAM

A cosmic ray, electrical noise, or hardware fault flips a single bit in the stored domain name. For example, the letter "g" (binary 01100111) becomes "f" (binary 01100110) when the lowest bit flips.

3

DNS resolves the wrong domain

The system performs a DNS lookup for the corrupted domain name. If an attacker has registered that domain, the lookup succeeds and returns the attacker's server.

4

Request reaches the attacker

The user's browser connects to the attacker's server, which can serve phishing content, record cookies or credentials, or deliver malware.

Bit-flip examples

Each character in a domain name is represented by 7 meaningful bits (ASCII). Flipping any one bit produces a different character:

Original Binary Bit flipped New binary Result
g 01100111 Bit 0 01100110 f
g 01100111 Bit 3 01101111 o
o 01101111 Bit 3 01100111 g
e 01100101 Bit 1 01100111 g
m 01101101 Bit 0 01101100 l

For a domain like example.com, each of its 7 letter characters has 7 possible single-bit mutations, giving 49 possible bitsquat domains (though not all produce valid domain characters).

💡
Only valid characters matter: A bit-flip that produces a non-alphanumeric character (like a control character) won't result in a valid domain name. Attackers only register domains where the bit-flip produces a valid domain character (a-z, 0-9, hyphen).

How often bit-flips happen

Bit-flips are more common than most people realize. Research shows that a typical server with non-ECC RAM experiences approximately one bit error per gigabyte of memory per year. With billions of devices connected to the internet, this adds up to a significant number of daily bit-flips affecting domain lookups.

⚠️
Proven in practice: In his original research, Dinaburg registered 32 bitsquat domains for popular sites and logged over 52,000 misdirected requests over 8 months, with traffic patterns matching what random bit-flips would predict. This was real, accidental traffic from real users.

Devices most susceptible to bitsquatting include mobile phones (which typically lack ECC memory), consumer laptops, IoT devices, and embedded systems. Server-grade hardware with ECC memory can detect and correct single-bit errors, making it largely immune.

How to protect yourself

Register bitsquat domains defensively

Identify the valid single-bit mutations of your domain name and register the most plausible ones. This prevents attackers from exploiting them.

Monitor for bitsquat registrations

Use Domain Guarddog to detect when someone registers a bitsquat variant of your domain. These are flagged as medium-risk threats.

Use HTTPS everywhere

HTTPS with HSTS prevents bitsquat domains from intercepting traffic because the TLS certificate won't match the bitsquatted domain name.

Deploy ECC memory on servers

Error-Correcting Code memory detects and corrects single-bit errors, preventing bitsquatting at the hardware level for your own infrastructure.

Detect bitsquat domains targeting your brand

Domain Guarddog generates and monitors all valid bitsquat permutations of your domain and alerts you when threats are detected.

Get Started Free