One rather insidious one I'd never considered prior was that lowercase n is one bit from '.'. So you can also bitsquat on things like, say, wwwngoogle.com or mailngoogle.com.<p>A researcher brought this to my attention years ago with a set of domains in particular I won't name. What was most interesting to me is just how frequent bit errors must happen. According to the research, they'd basically received thousands of emails destined for the correct domain. Really makes you think.
DoD address range is not so mysterious: it’s 11.0.0.0/8, and it’s not been seen on the internet. So it is extremely tempting to take one’s 10.0.0.0/8 and turn it into 10.0.0.0/7.<p>I would bet this is what is going on there - a large network who decided to take a shortcut with addressing, no evilz haxxorz.
The buried lede here is what's going on with Baidu. Presumably the initial erroneous request was typed into a browser, does Baidu operate a browser in China? Do they operate a portion of the backbone network infrastructure, and are inspecting traffic?<p>If not, how could they possibly have identified this as a target for crawling, unless perhaps they are being fed traffic by the Great Firewall?
Oh snap, this was news to MSFT? How did they not register bitflips of windows.com and microsoft.com?<p>I think I checked this like 10 years ago, and Google had. (well, except the infinite set of subdomains where a dot and an n are one bit away)<p>And this is why ECC RAM should obviously be the default.
>X-Forwarded-For that attempts to make the request appear as if it originated from an IP belonging to the US Department of Defense.<p>Networking newbies always get spooked by this <a href="https://blog.erratasec.com/2013/12/dod-address-space-its-not-conspiracy.html" rel="nofollow">https://blog.erratasec.com/2013/12/dod-address-space-its-not...</a><p>Hundreds of ISPs out there utilizing DoD space for their internal addresses.
I did this years ago with the DNS name for a large CDN (think akadns.net but it wasn't Akamai) and also saw lots of interesting stuff behind it.<p>Its hard (maybe impossible) to identify identify scale, so I don't know if it was 1%, .1% or .0001% of traffic, but I was seeing hundreds of requests per second.
McAfee is flagging site as follows
URL: <a href="https://remyhax.xyz/posts/bitsquatting-windows/" rel="nofollow">https://remyhax.xyz/posts/bitsquatting-windows/</a>
URL Categories: Malicious Sites
Reputation: High Risk
The NTP conclusion is wrong.<p>chrony also uses randomized transmit timestamps:<p>Transmit Timestamp: Feb 2, 2045 15:47:48.317625828 UTC<p>As per [0] this is a security feature:<p>[0] <a href="https://chrony.tuxfamily.org/comparison.html" rel="nofollow">https://chrony.tuxfamily.org/comparison.html</a>
What I'd love to see is a split by which bit is affected and are any versions more popular in the truly benign cases (like ntp).<p>Although it was confirmed with idle devices that we do see bitflips, I keep wondering if in real world we get more changes due to memory overflows than cosmic rays / failed ram refresh.
The “US DoD” IP could simply be a mobile network operator’s internal IP address leaking via the XFF header. Mobile network operators are known to use public but unadvertised IP ranges such as 25.0.0.0/8 (UK MoD: <a href="https://blog.wireshark.org/2010/04/t-mobile-clever-or-insane/" rel="nofollow">https://blog.wireshark.org/2010/04/t-mobile-clever-or-insane...</a>) for their internal networks in order to avoid clashes with actual private IPs. For example, by using a “public” IP address, any private IP address requests from a client will route through e.g. WiFi instead of through the cell network. It would not surprise me if a Chinese mobile network operator was using chunks of unadvertised US DoD IP address for the same purpose.
Semi-related: I remember a story from HN a few years ago where someone started experiencing crashes and tracked it down to a single flipped bit in memory which went away when he purged his page cache so the binary was reloaded from disk. Does anyone happen to have a link to it?
> 199,180 NTP Client connections from 626 unique IP addresses<p>This seems like an abnormally high connections/IP, even if we assume some of the IPs represent multiple clients. Perhaps it's because of retrying as the author does not seem to have sent NTP replies back?
Somewhat related: I run an http server on the local network for various services.
Due to the large number of bogus requests I set up a honeypot vhost which responds only to requests sent without a Host header, i.e. received directly on the IP address. It also logs these requests separately.<p>It's fun to check the logs once in a while and see all sorts of exploit attempts. Wordpress and PHP seem to attract a lot of attention.
The behavior seen here seems to indicate typos more than bit flipping - ex, look at the NTP requests: it works out to roughly 1 request/hr from the ~600 IPs that are hitting them, that's not an in-memory bit-flip.
Oh goodness! After domain squatting, one more squatting to think about! Do I have to worry about these things? How likely is it that a solar flare modifies a computer memory right when typing a domain?
aren't Ethernet frames CRC'd? Are there other checksums down the call stack, or up the stack at the other end, that would reject such bit flips in the raw data?
the use of the department of defense IP there is most likely because it's a ISP using one of the DoD's ipv4 /8 blocks internally. There's more than a few (and not just all in China) that have done that, in an attempt to shovel back the tide of needing to fully migrate to ipv6, or due to lack of other ipv4 resources for unique customer numbering.