DEFCON 19 Dinaburg Bit Squatting

BITSQUATTING  

DNS  HIJACKING  WITHOUT  EXPLOITATION    

ARTEM  DINABURG  DEFCON  19  

About  Me  

J

The  Problem  

Affected  PlaHorms  

Low                      Skill  

Cheap  

Bitsquatting  Like  typosquaPng,  but  for  bits  

TyposquaPng  

There  are  

1500  daily  DNS    requests  per  person.  

Humans  type    

                   3  of  them.  

1   0

0 1

01100011  01101110  01101110  

01100011  01101111  01101110  

01100011011011100110111000101110011000110110111101101101  

01100011011011110110111000101110011000110110111101101101  

 C      N      N      .    C      O      M  

 C      O      N      .      C      O      M  

Heat  

CAUSES  OF  BIT-­‐ERRORS:  

iPhone  OperaXng  Temperature    

0  

20  

40  

60  

80  

100  

120  Tempe

rature  (F)  

Las  Vegas   Montreal   iPhone  

CAUSES  OF  BIT-­‐ERRORS:  

Electrical  Problems  

CAUSES  OF  BIT-­‐ERRORS:  

Defects  

CAUSES  OF  BIT-­‐ERRORS:  

Cosmic  Rays  

1.0

0.1 -

S 0.01

0.001

-

Cosmic SER

To -/ ' I

J ' 1

k Memory , / y) 1 fails \ / ' 1 (scale right) / / 1

°^ Chip radioactivity (scale left)

1000

100

I - 10

- 1

- 0.1

1985 1986 1987 Date

10000 -

2 -

4 -

1/4 —I—

5X lOX Fail rate »-

Cosmic ray flux —^

1/2

M

Z-- Underground: _ / 7 zero fails in 9 ' five months

Memory SER and LSI chip radioactivity This figure shows a specific memory module SER from 1985 to 1987. By the end ol 1986 the fail rate was about a factor of five larger than the pre\ lou.s baseline. By early 1987 the problem was a source of serious concern, but the cause was unknown. By May 1987, it was clearly established that the fail rate was isolated to newly manufactured memories. By measuring chips manufactured weekly over the previous two years, a historical record of the radioactive contamination was created. Chip radioactivity was determined to be negligible before 1986, and then increasing by up to 1000 times by May 1987. Once the contamination source was identified and eliminated, no further contamination was found in the semiconductor factory. All chips started after May 22. 1987, were found to be clear of any contamination

Shown is a summary of the results for the testing of vanous memory chips at different altitudes. The solid Une is the prediction of Ziegler in 1984. The small circles are test results for a 4Kb SRAM bipolar LSI memory chip, and the triangles are for DRAM chips. The ordinate shows the altitude of the city for the altitude experiments, or the shielding for the attenuation experiments. The abscissa shows the change in fail rate, with unity being sea level. The SRAM and DRAM results scaled identically with altitude, with the Leadville fail rate being 13 times the sea-level rate. When the chips were tested under concrete shielding, the attenuation of fail rate scaled exponentially with concrete thickness. The final tests, underground below Kansas City, continued for ten months, and showed zero fails during this period (figure drawn five months into the underground experiment). From J. F. Ziegler, H. P. Muhlfeld, C. J. Montrose, H. W. Curtis, and T. J. O'Gorman, IBM internal reports, 1989.

Several months passed, with widespread testing of manufacturing materials and tools, but no radioactive contamination was discovered. All memory chips in the manufacturing hnes were spot-screened for radioactivity, but they were clean. The radioactivity reappeared in the manufacturing plant in early December 1987, mildly contaminating several hundred wafers, then disappeared again. A search of all the materials used in the fabrication of these chips found no source of the radioactivity. With further screening, and a lot of luck, a new and unused bottle of nitric acid was identified by J. Hannah as radioactive. One surprising aspect of this discovery was that, of twelve bottles in the single lot of acid, only one

was contaminated. Since all screening of materials assumed lot-sized homogeneity, this discovery of a single bad sample in a large lot probably explained why previous scans of the manufacturing line had been negative. The unopened bottle of radioactive nitric acid led investigators back to a supplier's factory, and it was found that the radioactivity was being injected by a bottle-cleaning machine for semiconductor-grade acid bottles.'* This bottle cleaner used radioactive Po '̂" material to ionize an air jet which was used to dislodge electrostatic dust inside the bottles after washing. The jets were leaking radioactivity

" J. Hannah, IBM internal report, 1987. ' J. F. Ziegler, T. H. Zabel, and J. Hannah, IBM internal report, 1 13

IBM J. RES. DEVELOP. VOL. 40 NO. 1 JANUARY 1996 J. F. ZIEGLER ET AL.

IBM  Journal  of  Research  and  Development,  vol.  40,  no.  1,  page  13  

Lets  talk  about  DRAM  

1   10   100   1000   10000   100000  

"ultra  low"  failure  rates  

160GBits  of  DRAM  

1Gbit  0.25  micron  

256MBytes  

32  Gbits  of  DRAM  (Cray  YMP-­‐8)  

Mfg  1,  1GB  DIMM  

Mfg  1,  2GB  DIMM  

Mfg  1,  4GB  DIMM  

Mfg  2,  1GB  DIMM  

Mfg  2,  2GB  DIMM  

Mfg  3,  1GB  DIMM  

Mfg  4,  1GB  DIMM  

Mfg  5,  2GB  DIMM  

Mfg  6,  2GB  DIMM  

Mfg  6,  4GB  DIMM  

Micron  EsXmate  (256  Mbytes)  

Nite  Hawk  

some  0.13  micron  

SRAM  and  DRAM  

Failures  in  Test  (FIT,  Logarithmic  Scale)  

DRAM  Failure  Rates  

For  a  PC  with  4GiB  of  DRAM,    error  esDmates  range  from    

 to    

.  

600  PiB  

Experiment:  Step  1  ikamai.net    aeazon.com    a-­‐azon.com  amazgn.com  

microsmft.com  micrgsoft.com  miarosoft.com  iicrosoft.com  microsnft.com  mhcrosoft.com  eicrosoft.com  mic2osoft.com  micro3oft.com  doublechick.net  do5bleclick.net  doubleslick.net    

li6e.com    0mdn.net    2-­‐dn.net    2edn.net  2ldn.net  2mfn.net  2mln.net  2odn.net  6mdn.net  fbbdn.net  fbgdn.net  gbcdn.net  fjcdn.net  dbcdn.net  

roop-­‐servers.net  gmaml.com  

Experiment,  Step  2  

!

"!"#$%&'()(*+,&($

!-#$%&.()(*+,&($/01,/12,'3',/44!-#$%&'()(*+,&($/01,/12,'3',/44

N

Experiment,  Step  3  

!

" !"#$%$&##'%()(&*+,-$./01*+*2,)0*.

&##'%()($343$56#$76859

N

0  

200  

400  

600  

800  

1000  

1200  

1400  

1600  

1800  

26-­‐Sep

-­‐10  

3-­‐Oct-­‐10  

10-­‐Oct-­‐10  

17-­‐Oct-­‐10  

24-­‐Oct-­‐10  

31-­‐Oct-­‐10  

7-­‐Nov-­‐10  

14-­‐Nov-­‐10  

21-­‐Nov-­‐10  

28-­‐Nov-­‐10  

5-­‐De

c-­‐10  

12-­‐Dec-­‐10  

19-­‐Dec-­‐10  

26-­‐Dec-­‐10  

2-­‐Jan-­‐11  

9-­‐Jan-­‐11  

16-­‐Ja

n-­‐11  

23-­‐Ja

n-­‐11  

30-­‐Ja

n-­‐11  

6-­‐Feb-­‐11  

13-­‐Feb

-­‐11  

20-­‐Feb

-­‐11  

27-­‐Feb

-­‐11  

6-­‐Mar-­‐11  

13-­‐M

ar-­‐11  

20-­‐M

ar-­‐11  

27-­‐M

ar-­‐11  

3-­‐Ap

r-­‐11  

10-­‐Apr-­‐11  

17-­‐Apr-­‐11  

24-­‐Apr-­‐11  

1-­‐May-­‐11  

Uniqu

e  IPs  

Date  

Traffic  Volume  (Unique  IPs)  A  

B  C  

Event  A  

!"#$%&#'()*""+,

-*./+''0'1!!"#$%&'()'#*!+,',&-2

3+45+6.%78%9'0(%-*.645#.%6+')+':

!;

N

Event  B  

!"#$%&#'()*""+,

-*./+''0'1!"#$%&'()*($+!,-(-'.2

3+45+6.%78%9'0(%-*.645#.%6+')+':

!;

N

Event  C  !"#!"#$%&'#'()

$%&'())*)+!"#!"#$!&'#'()

!+#!"#$%&'#'()*+,#*,-#$.$#*//

!+#!"#$%&'#'()*+,#*,-#$.$#*//

,(-.(/&#!0#

!

!

"

#

$

%

&

69.171.163.0/24  

N

0  

20  

40  

60  

80  

100  

120  

26-­‐Sep

-­‐10  

3-­‐Oct-­‐10  

10-­‐Oct-­‐10  

17-­‐Oct-­‐10  

24-­‐Oct-­‐10  

31-­‐Oct-­‐10  

7-­‐Nov-­‐10  

14-­‐Nov-­‐10  

21-­‐Nov-­‐10  

28-­‐Nov-­‐10  

5-­‐De

c-­‐10  

12-­‐Dec-­‐10  

19-­‐Dec-­‐10  

26-­‐Dec-­‐10  

2-­‐Jan-­‐11  

9-­‐Jan-­‐11  

16-­‐Ja

n-­‐11  

23-­‐Ja

n-­‐11  

30-­‐Ja

n-­‐11  

6-­‐Feb-­‐11  

13-­‐Feb

-­‐11  

20-­‐Feb

-­‐11  

27-­‐Feb

-­‐11  

6-­‐Mar-­‐11  

13-­‐M

ar-­‐11  

20-­‐M

ar-­‐11  

27-­‐M

ar-­‐11  

3-­‐Ap

r-­‐11  

10-­‐Apr-­‐11  

17-­‐Apr-­‐11  

24-­‐Apr-­‐11  

1-­‐May-­‐11  

Uniqu

e  IPs  

Date  

Traffic  Volume,  No  Outliers  

OS  StaXsXcs  

89%  

2%   3%  <1%  

5%  

1%  

Bitsquats  

85%  

8%  

3%  1%   2%   1%  

Wikipedia  

Windows   Mac   iPhone   Linux   Other   Android  

Bitsquat  Popularity  

0   500   1000   1500   2000   2500   3000   3500   4000  

kbdn.net  gbcdn.net  lcdn.net  

mic2osom.com  2mdn.net  

doubleslick.net  iicrosom.com  

microsmm.com  kcdn.net  msn.com  

do5bleclick.net  2-­‐dn.net  

amazgn.com  0mdn.net  

aeazon.com  a-­‐azon.com  

2mln.net  s-­‐msn.com  

Unique  IPs  

Bitsqu

at  Dom

ain  

Visitors  by  Country  (bitsquats  of  Microsoft.com)  

CN  

BR  

US  GB  

IL  

IT  

DE  

RU  

IN   JP  FR   TR  UA  

EG  

CO  CA   PH  KR  

TH  PL   LI  MX  ES   TW  PS  

Where  Bit-­‐errors  Happen  

DNS DNS

DB

DNS  Path  

Content  Path  

Bit-­‐errors  on  the  DNS  Path  

!"#!""#!$%

$%&'())*)+!"#!!"#!$%

!+#!""#!$%&'(#&()#*+*#&,,

,-.#/#0..1/232#-$./01!""#!$%

!

!

"

#$

%

& N

Bit-­‐errors  on  the  Content  Path  

!"#$%&''

()*+",,-,./#%0,"123!!!"#!$"#%&455536

789%4%:99;4<5<%'%()*+#!$"#%&

!

!

"

#

$ N

Domain  in  HTTP  Host  Header  

96%  

3%   1%  

Bitsquat   Original   Other  

MiXgaXons  

ECC  ON    EVERYTHING  

MiXgaXons  

MiXgaXons  

-­‐  Ronald  Reagan  

QuesXons?  

Image  ApribuXon  

•  Slide  3:  Earth.  NASA  •  Slide  4:  Logos  ©  their  respecXve  owners  •  Slide  5:  Childrens  Blocks.  Flickr  User:  lobo235  •  Slide  6:  Dollar  bills.  Flickr  User:  Images_of_Money  •  Slide  10:  HAL  9000  ©  Warner  Brothers  Pictures  •  Slide  14:  Heat  Lamp.  “Using  memory  errors  to  apack  a  virtual  machine”  by  

Govindavajhala  and  Appel,  IEEE  S&P  2003  •  Slide  15:  Desert  Sun.  Flickr  User:  Steve  &  Jemma  Copley  •  Slide  17:  Backup  Power.  David  Robinson.  Flickr  User:  dgrobinson  •  Slide  18:  Fake  Capacitor.  Found  on  Internet,  likely  from  chinauser.cn  •  Slide  19:  Homunculus  Nebula.  NASA  •  Slide  21:  DRAM.  Self  •  Slide  22:  SAS  Drive.  Self  •  Slide  24:  BSOD.  Wayne  Williamson.  Flickr  User:  ka3vo  •  Slide  25:  Blue  Marble.  NASA