Bitsquatting: the bit flip domain attack
Bitsquatting is one of the strangest lookalike techniques because the "typo" does not happen in a human's fingers. It happens inside a computer's memory. A single flipped bit can turn one character of your domain into a neighboring character, and an attacker who owns that one-bit-off domain quietly collects the traffic that gets misdirected.
What is bitsquatting?
Every character in a domain name is stored as a number. The letter "a" in ASCII is the binary value 01100001. Computer memory is just billions of these bits held as tiny electrical charges. If one of those bits flips, say the value becomes 01100011, the character is no longer "a." It is now "c." The domain the machine tries to reach is now one character different from the one the user actually requested.
A bitsquatter registers those one-bit-away variants of a popular domain ahead of time. When a device somewhere flips the relevant bit while handling the real domain, it resolves the attacker's domain instead, and the attacker is waiting there to receive the connection.
What causes a bit to flip?
Bit flips are real hardware events, not software bugs. The usual causes are physical:
- Cosmic rays and background radiation: high energy particles strike a memory cell and discharge it.
- Heat: hot, poorly cooled hardware is more error prone.
- Electrical noise and aging: cheap or worn memory holds its charge less reliably.
- No ECC: error correcting code memory detects and fixes most single-bit flips, but most phones, consumer laptops, and cheap routers do not have it.
Any single device flipping a bit is extraordinarily rare. But a hugely popular domain is resolved by an enormous number of devices, many of them cheap and uncooled, so across the whole population the occasional flip does occur. Bitsquatting is a numbers game played at internet scale.
How attackers exploit it
The attacker's job is mostly patience. They enumerate the domains that sit one bit away from a high traffic target, register the ones that are available and still valid as hostnames, and stand up a server or a logging endpoint. Then they wait for the stream of misdirected requests.
What they do with that traffic depends on the target. They might serve a phishing page, capture whatever credentials or tokens a confused client sends, or simply log the requests to study them. If the target domain is one that devices fetch automatically in the background, such as an update server or an analytics endpoint, the misdirected traffic can arrive with no human in the loop at all.
| Technique | Where the change happens | Targeting |
|---|---|---|
| Typosquatting | Human keyboard | Relies on user mistakes |
| Bitsquatting | Device memory | Relies on hardware errors |
Why it is opportunistic, not targeted
It is worth being honest about the scale here. Bitsquatting does not let an attacker choose a victim. They cannot make your bit flip. They can only register the variant and collect whatever the laws of physics happen to send their way. For most domains, the volume of misdirected traffic per domain is genuinely low, and for a small site it may be effectively zero.
That changes for very high traffic domains. When a name is resolved billions of times across a vast and varied device population, even a vanishingly small per-request flip rate produces a steady trickle of real connections. That trickle is what makes the technique worthwhile for the biggest brands, content delivery hostnames, and widely embedded update or telemetry endpoints.
Should you monitor for it?
For most organizations bitsquatting is a niche concern that sits well below typosquatting and combosquatting on the priority list. It is real, but the per-domain volumes are small and there is no targeting. If your domain is fetched at very large scale, or fetched automatically by software clients, it moves up the list, because automated clients can leak credentials to a bitsquat without any user ever noticing.
Detection is mechanical. Because a bit flip is deterministic, you can generate the full set of one-bit-away variants for any domain by flipping each bit of each character in turn and keeping the results that are valid hostnames. VigilDNS includes bit flip permutations in its engine alongside the human-error techniques, so if any of those variants get registered or appear in Certificate Transparency logs, they surface next to your other lookalike alerts rather than being missed entirely.
Frequently asked questions
Is bitsquatting a common attack?
No. It is a niche technique compared to typosquatting or combosquatting, and the traffic any single bitsquat captures is usually low. It matters most for very high traffic domains and for hostnames that automated clients fetch in the background.
Can ECC memory stop bitsquatting?
Error correcting memory fixes most single-bit flips on the machine that has it, which removes that machine as a source of misdirected traffic. But the technique works across the whole population of devices resolving a domain, and most consumer hardware has no ECC, so you cannot rely on it as a defense for your brand.
Why register a bitsquat instead of just typing a typo?
A bitsquat catches traffic that no human ever mistyped. The error happens inside a device, so it can intercept automated, machine-to-machine requests that a typo never would, which is part of what makes it interesting to attackers despite the low volume.
To see which lookalike variants of your domain are already registered, including ones you would never think to type, run a quick scan with our free typosquat checker.