Domain Squatting Math

#Domain Squatting #Threat Hunting #Exponentials

“Compound interest is the eighth wonder of the world. He who understands it, earns it … he who doesn’t … pays it.”

― Albert Einstein

What is domain squatting?

Domain squatting is when someone registers a domain name which looks like another domain name. Usually, the term “domain squatting” is used in a context where malicious intent is implied. For example, someone trying to steal passwords may register the domain name (with an extra o in it). This way, he/she could send emails to potential victims with links to and the potential victims would be more likely to mistake this domain for the real thing and click the links.

The math of domain squatting

The are numerous algorithms available to find domain squats for a given domain, but the difficulty is that finding domain squats for a given domain is computationally difficult and demonstrates exponential growth. Let’s examine this a bit more.

For starters, how many possible domain squats are there for Let’s assume the top level domain (e.g. .com) remains the same - we’ll just focus on the abc bit. Let’s also pretend that there are two characters which can replace each of the characters in abc. In other words, we can replace a with а (a character from the Cyrillic alphabet) or α (a character from the Greek alphabet) and we can replace both b and c with two other characters as well. So, for each character in abc, we have three options:

  1. Replace it with the first option
  2. Replace it with the second option
  3. Keep it the same

For each character, we have the three options we listed above, so all possible combinations amount to: 3 * 3 * 3 = 27. But, one of the twenty seven configurations is one in which all of the characters in the original domain are kept the same. Because this does not constitute a domain squat, we remove this one to get 26 as our final answer. A domain with three characters and an average of two replacements per character can produce twenty six domain squats!

We can represent the number of domain squats formulaically as:

((r + 1) ^ n) - 1


  • r is the number of characters which can replace each character in the domain
  • n is number of characters in the domain

Thus, the number of possible replaces for a domain name that is 10 characters long assuming we can replace each character with 10 other characters is: ((10 + 1) ^ 10) - 1 = (11 ^ 10) - 1 = 25,937,424,600. 25 billion possible domain squats! This is the challenge of finding domain squats; it is a system that grows exponentially. What if we keep everything the same, but find domain squats for a domain which is 11 characters long? That works out to be: 10 ^ 11 = 285,311,670,610. 285 billion! If you were to plot 25 billion on a number line stretching between zero and 285 billion, it would look something like:


Adding one more character to our domain name, we have exponentially increased the possible squats.

Below is some clojure code you can play with to find the number of domain squats for domains of various lengths. Notice that adding one character to a domain’s length increases the amount of time required to find all domain squats exponentially (non-linearly)!

    (defn pow [n x]
    (reduce * (repeat x n)))

    (defn possible-domain-squats [domain-length avg-replacement-chars]
    (dec (pow (inc avg-replacement-chars) domain-length)))

    ; change the values below to see how the possible domain squats change
    (def domain-length 10)
    (def avg-replacement-chars 10)

    (possible-domain-squats domain-length avg-replacement-chars)

Here is another way to systematically observe how the number of domain squats changes with the size of the domain name. We assume ten replacement characters (that is, each character in the domain can be replaced with ten characters - which is very reasonable) for domains of varying lengths:

    (for [domain-length (range 3 16)
    :let [squats (possible-domain-squats domain-length 10)]]
    {:domain-length domain-length :squats squats})