1
00:00:00,042 --> 00:00:01,999
JAESON SCHULTZ: My name is Jaeson.

2
00:00:01,999 --> 00:00:05,000
This talk is on examining the bitsquatting attack surface.

3
00:00:07,501 --> 00:00:09,999
For those of you who are regular DEF CON

4
00:00:09,999 --> 00:00:13,999
attendees, you may remember a talk from a couple of years ago,

5
00:00:13,999 --> 00:00:19,083
there was a talk by the name of or by a man named Artem Dinaburg.

6
00:00:22,999 --> 00:00:27,626
He registered several domains that registered getting traffic and shows that

7
00:00:27,626 --> 00:00:29,042
it works.

8
00:00:29,209 --> 00:00:33,209
So if you know what typosquatting is, you will be able to understand

9
00:00:33,209 --> 00:00:36,000
the concept of bitsquatting.

10
00:00:36,042 --> 00:00:37,999
It's not a whole lot different.

11
00:00:38,000 --> 00:00:40,918
Typosquatting is registering a domain name that

12
00:00:40,918 --> 00:00:44,792
is maybe confusingly similar, that somebody might mistype

13
00:00:44,792 --> 00:00:47,918
on a keyboard, bitsquatting involves actually

14
00:00:47,918 --> 00:00:52,999
registering domain names that are one binary digit different.

15
00:00:52,999 --> 00:00:54,876
If you think about the way that domain names are

16
00:00:54,876 --> 00:00:57,959
represented in the memory of the computer.

17
00:00:58,042 --> 00:01:00,125
Most use ASCII.

18
00:01:04,999 --> 00:01:08,999
I have an example here where Twitter.com can

19
00:01:08,999 --> 00:01:13,083
flip a bit and become twitit2.com.

20
00:01:14,918 --> 00:01:16,999
Really there's nothing fancy.

21
00:01:16,999 --> 00:01:21,083
It involves nothing more than registering domain names

22
00:01:21,083 --> 00:01:26,250
but this was a great talk and I was really impressed by it and hats

23
00:01:26,250 --> 00:01:31,542
off to Artem Dinaburg for bringing it to everyone's attention and be

24
00:01:31,542 --> 00:01:33,626
the first one.

25
00:01:33,626 --> 00:01:35,999
This is a view of the ASCII table, at least a lot

26
00:01:35,999 --> 00:01:38,542
of the characters that are in the ASCII table

27
00:01:38,542 --> 00:01:41,334
and their binary representation.

28
00:01:41,334 --> 00:01:45,334
I'm purposefully not showing things line the ASCII control characters.

29
00:01:45,751 --> 00:01:48,667
Actually, ASCII was a specification that was built

30
00:01:48,667 --> 00:01:53,667
a long time ago back in the late '50s and early '60s when we had printing

31
00:01:53,667 --> 00:01:55,959
teletype machines.

32
00:01:55,959 --> 00:02:00,125
So several character codes that are in the seven bit ASCII table are things

33
00:02:00,125 --> 00:02:03,667
like line feed, control codes and various, you know,

34
00:02:03,667 --> 00:02:06,792
other control codes like delete.

35
00:02:07,083 --> 00:02:09,876
When you had a printing tape and you made an error,

36
00:02:09,876 --> 00:02:12,459
the reason why all ones in seven bit ASCII

37
00:02:12,459 --> 00:02:15,999
is the delete character is because they would print ones

38
00:02:15,999 --> 00:02:19,083
all the way across and that would signify that we

39
00:02:19,083 --> 00:02:24,334
made a mistake and let them move on in terms the printing teletype.

40
00:02:25,751 --> 00:02:28,125
There were people who argued back during the beginning when

41
00:02:28,125 --> 00:02:30,083
they were making the ASCII specification that

42
00:02:30,083 --> 00:02:33,209
they shouldn't include lowercase characters at all.

43
00:02:33,709 --> 00:02:37,792
Other people were arguing that we should have the lowercase

44
00:02:37,792 --> 00:02:42,999
the lowercase letters interweaved with the upper case.

45
00:02:42,999 --> 00:02:45,125
So you might have a little A or a big A and so on.

46
00:02:45,292 --> 00:02:47,083
This ended up being the final ASCII specification

47
00:02:47,083 --> 00:02:50,792
and it got picked up in the early '80s with the advent.

48
00:02:53,501 --> 00:02:57,083
This is what makes bitsquatting possible.

49
00:02:57,918 --> 00:03:01,501
The R in Twitter, I highlighted here.

50
00:03:01,501 --> 00:03:05,250
You can actually see that there's several other characters that are part

51
00:03:05,250 --> 00:03:09,083
of the table, which are different only by one digit, if you were to flip

52
00:03:09,083 --> 00:03:14,250
a zero into a one or a one into a zero, you could get all of these other things.

53
00:03:14,918 --> 00:03:19,083
And so what Artem Dinaburg proved, if you register a bunch of domains

54
00:03:19,083 --> 00:03:22,999
he was able to get traffic, for error memories.

55
00:03:27,542 --> 00:03:32,167
It's passed into whatever application, usually the web browser that's doing

56
00:03:32,167 --> 00:03:33,999
most damage.

57
00:03:34,999 --> 00:03:37,584
Did he talk about some of the causes.

58
00:03:37,584 --> 00:03:40,167
So these are the main causes of bitsquatting errors or bit errors

59
00:03:40,167 --> 00:03:41,876
in memory.

60
00:03:42,209 --> 00:03:45,083
Cosmic rays, you know, they are quite frequently hitting

61
00:03:45,083 --> 00:03:49,083
the earth ten thousand per square meter per second.

62
00:03:49,375 --> 00:03:54,334
Heat, I think the upper range on the iPhone operating temperature

63
00:03:54,334 --> 00:03:56,918
is only 95 degrees.

64
00:03:56,918 --> 00:03:58,999
So if you have been carrying your iPhone out around Vegas,

65
00:03:58,999 --> 00:04:02,918
you have been exceeding those operational parameters.

66
00:04:02,959 --> 00:04:07,083
There's an interesting paper that came out earlier this year

67
00:04:07,083 --> 00:04:10,292
about nuclear explosions and bit requests

68
00:04:10,292 --> 00:04:15,501
to determine when low yield nukes have been exploded.

69
00:04:15,999 --> 00:04:18,292
And then finally defects in manufacturing.

70
00:04:19,709 --> 00:04:23,999
As I started thinking about this, I thought it was a really unique idea.

71
00:04:23,999 --> 00:04:26,876
Typically I'm used to being the one making the mistakes,

72
00:04:26,876 --> 00:04:30,918
and having all the problems boil down to, you know, human errors,

73
00:04:30,918 --> 00:04:35,417
you know, missing a semicolon in your program or whatever.

74
00:04:35,626 --> 00:04:37,792
This is the type of thing where you have done

75
00:04:37,792 --> 00:04:40,999
everything right but because of an error in the memory,

76
00:04:40,999 --> 00:04:45,125
all of a sudden, your traffic is going to some other place that you didn't

77
00:04:45,125 --> 00:04:49,501
even intend for it to go, and so one of the characters that's particularly

78
00:04:49,501 --> 00:04:54,959
fascinating is the letter N, which by a flip of one bit can become the dot.

79
00:04:54,959 --> 00:04:57,542
And while that's not one of the necessary characters

80
00:04:57,542 --> 00:05:01,999
according to the RFC for DNS names, it does separate the various parts

81
00:05:01,999 --> 00:05:03,959
of a DNS name.

82
00:05:04,125 --> 00:05:06,999
So if we have an N inside of a domain name that can be

83
00:05:06,999 --> 00:05:09,542
a dot, you can do some interesting things

84
00:05:09,542 --> 00:05:12,792
like the domain, like Windowsupdate.

85
00:05:14,083 --> 00:05:17,792
You can end up with does update.com.

86
00:05:22,250 --> 00:05:24,918
And so we registered some of these.

87
00:05:25,250 --> 00:05:27,999
And these were some of the queries we were getting

88
00:05:27,999 --> 00:05:30,542
from the Internet, lots of people looking

89
00:05:30,542 --> 00:05:33,501
to download Windows updates but they were going

90
00:05:33,501 --> 00:05:36,083
to our domain, dowsupdate.

91
00:05:37,083 --> 00:05:40,999
And this is a similar example, for the Symantec.

92
00:05:40,999 --> 00:05:41,999
Update.

93
00:05:50,918 --> 00:05:54,250
Because it's bidirectional, you can have dots that flip

94
00:05:54,250 --> 00:05:55,959
into becoming a letter N.

95
00:05:55,959 --> 00:06:00,999
So one of the best examples that we registered was the YTMG.com.

96
00:06:01,459 --> 00:06:05,584
They use this content delivery network in a lot of their domain names or a lot

97
00:06:05,584 --> 00:06:08,459
of their web pages to serve content.

98
00:06:08,501 --> 00:06:12,083
And what we did was replaced the dot that separates the third level

99
00:06:12,083 --> 00:06:15,125
of domain name from the second level and registered

100
00:06:15,125 --> 00:06:17,167
the entire thing.

101
00:06:17,167 --> 00:06:18,167
So we registered.

102
00:06:18,876 --> 00:06:22,918
And the other one is the Nate of New York.

103
00:06:23,125 --> 00:06:25,792
Every state has a state dot something dot US.

104
00:06:27,751 --> 00:06:32,083
You can basically replace the second dot from the right

105
00:06:32,083 --> 00:06:35,999
with a letter N and see some traffic.

106
00:06:35,999 --> 00:06:40,999
So here's an example from YouTube.

107
00:06:40,999 --> 00:06:43,209
It has a refer from YouTube.

108
00:06:43,209 --> 00:06:44,918
This was going to our SNyntube.

109
00:06:47,999 --> 00:06:53,584
And this domain is a real subdomain at the state of New York.

110
00:06:53,584 --> 00:06:55,292
It is the office of mental health.

111
00:06:55,375 --> 00:06:58,501
But we were getting lots of different requests from them.

112
00:06:59,501 --> 00:07:05,083
So outside of the characters that are within a domain name itself,

113
00:07:05,083 --> 00:07:10,125
there's other ways that we found and part of the inspiration

114
00:07:10,125 --> 00:07:15,834
for this idea came from this slide, which was originally published

115
00:07:15,834 --> 00:07:19,999
by Artem Dinaburg, and you see what he registered

116
00:07:19,999 --> 00:07:24,459
all were associated with web applications.

117
00:07:24,999 --> 00:07:27,334
I started thinking about that a little bit more.

118
00:07:27,459 --> 00:07:31,501
And, you know, here's the general structure for any URL

119
00:07:31,501 --> 00:07:35,542
and HTTP URL and you will notice that there's a scheme,

120
00:07:35,542 --> 00:07:39,959
host name, path and so on, but there's a couple of maces, I

121
00:07:39,959 --> 00:07:45,501
will highlight them here in red, where we have forward slashes.

122
00:07:45,501 --> 00:07:48,334
And so if you think about bit squats and the context which

123
00:07:48,334 --> 00:07:51,999
they most likely appear, it's going to be inside of web links

124
00:07:51,999 --> 00:07:54,999
and there's a relationship between the letter O and

125
00:07:54,999 --> 00:08:00,209
the forward slash where by the flip of one digit, one becomes the other.

126
00:08:00,667 --> 00:08:02,417
And so how can we use this?

127
00:08:02,999 --> 00:08:07,209
Well, if you have got a domain with a letter O in it, in the right place,

128
00:08:07,209 --> 00:08:11,999
you can actually attack domains which weren't possible before.

129
00:08:11,999 --> 00:08:14,626
So you see, I've got some examples here

130
00:08:14,626 --> 00:08:20,667
in the dot mill the top level domains and this is EDU.

131
00:08:20,667 --> 00:08:25,167
This is where I would not be able to register a domain ordinarily,

132
00:08:25,167 --> 00:08:30,584
but flipping to a slash in the O, it cuts off the URL early and

133
00:08:30,584 --> 00:08:36,167
the traffic goes to some international or country code level domain

134
00:08:36,167 --> 00:08:40,334
and so we have several examples here.

135
00:08:40,501 --> 00:08:42,501
Here's an example of an EDU.

136
00:08:42,501 --> 00:08:46,250
This was this first example ecampus.Phoenix.EDU

137
00:08:46,250 --> 00:08:53,751
and so we registered ecampus.ph and here was actually a request.

138
00:08:53,751 --> 00:08:56,083
Somebody has a smartphone and they have got an icon

139
00:08:56,083 --> 00:08:58,999
on their home screen, and whenever they click

140
00:08:58,999 --> 00:09:01,999
the home screen, one of the byproducts is refetching

141
00:09:01,999 --> 00:09:05,918
the Apple Touch icons and that's actually what you are seeing

142
00:09:05,918 --> 00:09:08,918
here represented in this request, was the request

143
00:09:08,918 --> 00:09:11,417
for the Apple touch icons.

144
00:09:11,834 --> 00:09:16,999
We got similar stuff from other domains.

145
00:09:17,751 --> 00:09:19,999
Those examples are in the white paper.

146
00:09:22,709 --> 00:09:25,709
As the continuing in the bidirectional nature,

147
00:09:25,709 --> 00:09:28,542
not only can you have an O turn into a slash

148
00:09:28,542 --> 00:09:31,709
but you can have slashes turn into the letter O.

149
00:09:31,709 --> 00:09:34,334
And why is this important?

150
00:09:34,334 --> 00:09:37,999
Well, the browser actually allows or kind of silently fixes errors that

151
00:09:37,999 --> 00:09:40,999
might occur as a result of this.

152
00:09:40,999 --> 00:09:44,959
So if you can imagine, you've got a domain like slash dot here,

153
00:09:44,959 --> 00:09:50,083
but imagine that the second slash from the left turns into a letter O

154
00:09:50,083 --> 00:09:52,999
by virtue of a bit error.

155
00:09:53,626 --> 00:10:01,459
The browser sees http:/ and they think, oh, it must be an error.

156
00:10:01,459 --> 00:10:03,083
I need you to take you to O/.

157
00:10:07,334 --> 00:10:12,959
and here's an example of that, again, someone fetching their Apple touch

158
00:10:12,959 --> 00:10:16,125
icons, they have a slash dot web link stored

159
00:10:16,125 --> 00:10:19,834
on the home screen of their phone.

160
00:10:19,999 --> 00:10:24,042
I'm seeing a lot of traffic from mobile devices, honestly.

161
00:10:26,542 --> 00:10:30,417
Let's see, am I going the right way?

162
00:10:30,417 --> 00:10:34,667
So we've got additional URL delimiters that are possible.

163
00:10:34,667 --> 00:10:38,209
The letter C has a relationship with the pound character.

164
00:10:38,209 --> 00:10:41,209
And people that work in URLs will be familiar

165
00:10:41,209 --> 00:10:44,125
with the pound character.

166
00:10:44,125 --> 00:10:47,250
It basically shows you where you've got an anchor tag.

167
00:10:47,250 --> 00:10:50,459
So if you can imagine a full host name with a letter C in it,

168
00:10:50,459 --> 00:10:53,999
at the right place, when that C turns into an anchor tag,

169
00:10:53,999 --> 00:10:56,751
it actually cuts short the domain and a couple

170
00:10:56,751 --> 00:11:00,501
of really interesting examples here, PKI in the nrc.gov, that's

171
00:11:00,501 --> 00:11:03,584
the nuclear regulatory commission.

172
00:11:03,626 --> 00:11:05,999
I actually bought that domain.

173
00:11:08,167 --> 00:11:11,167
And this is Naru.

174
00:11:12,083 --> 00:11:16,083
You have to register some of these domains by faxing a paper in.

175
00:11:16,167 --> 00:11:19,292
So some of these country code registries are

176
00:11:19,292 --> 00:11:23,959
a little bit less organized than others, let's say.

177
00:11:23,959 --> 00:11:28,083
But some others here, we've got a CDC.gov, it happens

178
00:11:28,083 --> 00:11:30,792
to have a bit squat.

179
00:11:36,792 --> 00:11:40,918
And there's some interesting examples there.

180
00:11:42,083 --> 00:11:46,709
This is an example here, basically showing that the browser

181
00:11:46,709 --> 00:11:51,334
will happily, and if you see in the location tab, it's going

182
00:11:51,334 --> 00:11:53,999
to a.US domain name.

183
00:11:53,999 --> 00:11:55,999
That's what the browser is hopefully correcting for us

184
00:11:55,999 --> 00:11:58,959
and sending us to the wrong place.

185
00:12:00,792 --> 00:12:05,834
Let's see, this here is, yes, another example.

186
00:12:05,834 --> 00:12:10,083
This is an interesting one, in that the the C, if it even if it has a dot

187
00:12:10,083 --> 00:12:14,999
before it, will still work, and if you look at the location bar here,

188
00:12:14,999 --> 00:12:18,417
you will see the real location that you would be

189
00:12:18,417 --> 00:12:24,334
going to, if, in fact, the C in dot CN was to flip into an anchor tag.

190
00:12:24,876 --> 00:12:28,999
So these will still work even with errors in the browser.

191
00:12:29,375 --> 00:12:33,459
So these were representing URLs and the domain delimiters

192
00:12:33,459 --> 00:12:39,083
but we also took a level we took a look at the top level domains.

193
00:12:39,083 --> 00:12:41,999
So most of the top level domains don't have bit squats.

194
00:12:43,167 --> 00:12:44,999
There's some like.co.

195
00:12:46,999 --> 00:12:53,918
They have an 0 based slash, but the ccTLDs have several depending

196
00:12:53,918 --> 00:12:56,999
on where you are at.

197
00:12:56,999 --> 00:13:00,584
So there's some domains that only have have no bitsquats

198
00:13:00,584 --> 00:13:05,834
in the country code space and some that have several.

199
00:13:05,834 --> 00:13:11,167
The Ivory Coast have ten different valid country code bitsquats what is sort

200
00:13:11,167 --> 00:13:13,999
of possible with this?

201
00:13:14,292 --> 00:13:16,626
Well, we registered a domain name based

202
00:13:16,626 --> 00:13:20,999
on the Kremlin.ru domain but instead of .ru, we registered .re,

203
00:13:20,999 --> 00:13:26,209
which is reunion island and we got this request for a news page, basically,

204
00:13:26,209 --> 00:13:29,083
and so I pulled up the corresponding page

205
00:13:29,083 --> 00:13:33,626
inside of the Kremlin.ru page, just to show that, yes, this was

206
00:13:33,626 --> 00:13:38,083
a real news page that someone was requesting but they were coming

207
00:13:38,083 --> 00:13:42,167
to Kremlin.re, instead, which we were not going to be able

208
00:13:42,167 --> 00:13:44,876
to serve that content.

209
00:13:46,083 --> 00:13:50,417
I have here another domain that we registered for this test, Europa.eu

210
00:13:50,417 --> 00:13:52,999
is the European parliament.

211
00:13:53,751 --> 00:13:57,959
And so we registered Europa.mu, and you can see we're getting

212
00:13:57,959 --> 00:14:01,375
a bunch of MX requests for Europa.mu.

213
00:14:01,999 --> 00:14:06,626
These are all valid subdomains at Europa.eu by the way.

214
00:14:07,417 --> 00:14:13,250
Here is sip DNS request from the German federal government.

215
00:14:13,250 --> 00:14:16,334
So we registered a couple of different domains there, bun.ee,

216
00:14:16,334 --> 00:14:21,083
which also happens to be a typosquat as well as a bitsquat.

217
00:14:25,209 --> 00:14:27,751
I think I might have another example.

218
00:14:27,792 --> 00:14:29,834
Yeah, here's some MX requests.

219
00:14:29,999 --> 00:14:32,999
If you were to look up the IP addresses on some of these,

220
00:14:32,999 --> 00:14:35,584
you will note that some of these requests were coming

221
00:14:35,584 --> 00:14:38,999
from inside of the government of Germany itself.

222
00:14:39,834 --> 00:14:45,542
So what about all the new generic top level domains what could be

223
00:14:45,542 --> 00:14:47,959
possible there.

224
00:14:48,334 --> 00:14:50,999
Using some of these techniques, you could register

225
00:14:50,999 --> 00:14:56,792
a bit squat that would allow you to bit squat the entire top level domain.

226
00:14:57,999 --> 00:15:02,125
I think one of the most interesting out of this list is dot exchange which

227
00:15:02,125 --> 00:15:05,999
is supposed to be used for financial exchanges.

228
00:15:05,999 --> 00:15:08,999
So if you were able to register this xj.ge in Georgia,

229
00:15:08,999 --> 00:15:12,709
you could potentially receive bitsquats for any domain

230
00:15:12,709 --> 00:15:15,375
registered under.exchange.

231
00:15:17,834 --> 00:15:20,501
There's some other bitsquats that are possible

232
00:15:20,501 --> 00:15:23,751
in the new generic top level domains.

233
00:15:23,751 --> 00:15:25,918
This is based on the letter O.

234
00:15:25,918 --> 00:15:31,999
This is .boo, .bio and the corresponding country code where

235
00:15:31,999 --> 00:15:37,999
those bitsquats exist, as well as those on the letter C.

236
00:15:37,999 --> 00:15:43,501
So something more about the ccTLD bitsquats.

237
00:15:45,459 --> 00:15:50,542
You would think in UK, where they only allow the protected it's

238
00:15:50,542 --> 00:15:53,959
a fairly protected registrar.

239
00:15:53,959 --> 00:15:56,918
You can only register third level domains at .UK.

240
00:16:01,417 --> 00:16:06,626
So it turns out that the .UK has a one bit error and you become .TK,

241
00:16:06,626 --> 00:16:09,999
and so I started looking at what was available

242
00:16:09,999 --> 00:16:14,999
at .TK and there's several of these, probably the most interesting

243
00:16:14,999 --> 00:16:21,542
out of this list is the MOD, which is the ministry of defense in the UK.

244
00:16:21,626 --> 00:16:24,709
So I could I didn't register this.

245
00:16:24,709 --> 00:16:26,542
I think they have registered it now.

246
00:16:26,542 --> 00:16:27,918
So it's not available now.

247
00:16:27,918 --> 00:16:30,083
But MOD.TK was available for a while and could you have

248
00:16:30,083 --> 00:16:33,292
potentially been eavesdropping on the ministry of defense,

249
00:16:33,292 --> 00:16:35,918
but there's several others and they all match

250
00:16:35,918 --> 00:16:39,918
the corresponding second level registration at dot UK.

251
00:16:39,918 --> 00:16:42,918
So you could potentially get quite a lot of traffic there.

252
00:16:43,375 --> 00:16:47,501
So just kind of closing up here, you know, this is obviously,

253
00:16:47,501 --> 00:16:50,999
there's a lot of domains out there that are possible

254
00:16:50,999 --> 00:16:54,542
to bitsquat and even in protected registries like.gov

255
00:16:54,542 --> 00:16:56,125
and so on.

256
00:16:56,334 --> 00:16:59,459
So far the current mitigations were to use ECC memory or buy

257
00:16:59,459 --> 00:17:03,250
up all the domains so no one could register it.

258
00:17:05,083 --> 00:17:08,626
I think there's some better ways around that.

259
00:17:08,626 --> 00:17:13,125
So one of the ways that we actually saw used in practice and I don't know that

260
00:17:13,125 --> 00:17:17,834
they were necessarily doing this on purpose was Amazon uses kind

261
00:17:17,834 --> 00:17:21,667
of a roving domain sort of defense here.

262
00:17:21,667 --> 00:17:24,542
And if you look at the source code from some Amazon pages,

263
00:17:24,542 --> 00:17:27,667
you notice that they have this domain cloudfront.net

264
00:17:27,667 --> 00:17:30,999
and normally the o in cloud front would make these perfect

265
00:17:30,999 --> 00:17:34,292
bitsquat domains based on the O flipping to a slash and

266
00:17:34,292 --> 00:17:36,626
the country code .CL.

267
00:17:36,999 --> 00:17:40,999
But what they do, if you look at the third level host name.

268
00:17:40,999 --> 00:17:45,083
It changes every time they recompile the code there.

269
00:17:46,125 --> 00:17:49,459
It changes about every month and so if you were to go out and register one

270
00:17:49,459 --> 00:17:52,083
of these domain names, you probably wouldn't get much traffic

271
00:17:52,083 --> 00:17:54,542
in the month before it changes.

272
00:17:54,542 --> 00:17:56,959
So I thought that was an interesting defense.

273
00:17:57,417 --> 00:18:02,167
I also noticed that a lot of these bitsquatting problems happen

274
00:18:02,167 --> 00:18:06,375
as a result of URLs in web applications and so limiting

275
00:18:06,375 --> 00:18:12,125
the amount of times that the URL actually appears can help you.

276
00:18:12,125 --> 00:18:14,876
So instead of using absolute links, if you use relative links,

277
00:18:14,876 --> 00:18:18,459
then you are not going to be putting the domain name in the link

278
00:18:18,459 --> 00:18:22,375
and web pages are stored in memory, basically the exact same way that

279
00:18:22,375 --> 00:18:24,999
they were written originally.

280
00:18:24,999 --> 00:18:27,417
So that can help you, and also using capital letters,

281
00:18:27,417 --> 00:18:31,292
there's less these are some other the capital letters don't have

282
00:18:31,292 --> 00:18:34,999
the same equivalent bitsquats as lowercases.

283
00:18:34,999 --> 00:18:38,792
And so using capital levels can help you avoid certain bitsquats.

284
00:18:39,999 --> 00:18:43,918
The probably the best defense is the response zone.

285
00:18:52,999 --> 00:18:57,999
I have an example here of PayPal if you had an RPZ, you might look

286
00:18:57,999 --> 00:19:01,876
at a request coming for from RayPal and think that's

287
00:19:01,876 --> 00:19:05,626
probably a one bit error and I will silently return

288
00:19:05,626 --> 00:19:09,334
from my DNS revolver, no such domain.

289
00:19:11,999 --> 00:19:15,292
You have to be careful of false positive like this raypal.com

290
00:19:15,292 --> 00:19:17,083
is a real site.

291
00:19:17,083 --> 00:19:20,584
So to that end, you definitely have to monitor for false positives when you

292
00:19:20,584 --> 00:19:22,876
are using it technique.

293
00:19:22,876 --> 00:19:26,334
But configuring this at the DNS, it takes it out from the ability

294
00:19:26,334 --> 00:19:30,501
to register the doe plains in the first part.

295
00:19:36,999 --> 00:19:40,083
If you have a list of fully qualified domain names you

296
00:19:40,083 --> 00:19:43,250
want to turn into an RPZ and deploy on your revolver,

297
00:19:43,250 --> 00:19:46,876
we are releasing a PERL script to do that.

298
00:19:46,999 --> 00:19:51,999
It will be available on the Cisco blog page.

299
00:19:51,999 --> 00:19:54,501
I have a blog page coming out in about ten minutes

300
00:19:54,501 --> 00:19:58,999
and you can download the code from there as well.

301
00:19:58,999 --> 00:20:01,999
So I hope that you found some of these new bitsquatting attacks

302
00:20:01,999 --> 00:20:05,999
interesting and I really hope that people are going to go out and try

303
00:20:05,999 --> 00:20:09,667
to do something as far as fixing up the revolvers and making this

304
00:20:09,667 --> 00:20:12,375
problem go away because if more people did that,

305
00:20:12,375 --> 00:20:16,459
then bitsquatting wouldn't really be an issue at all.

306
00:20:16,501 --> 00:20:18,999
So thank you.