Internet censorship in Turkey took a new and ominous turn yesterday. In order to better seal off access to social media sites like YouTube and Twitter, the incumbent TurkTelecom began hijacking the IP address space of public DNS resolvers like those of Google. This allows TurkTelecom servers to masquerade as Google DNS servers, returning whatever answers they want. Under normal circumstances, such queries would have been destined for servers outside the country, which is how Turkish users were circumventing the ban on YouTube imposed earlier this week. However, now local users of these global DNS services are surreptitiously redirected to alternate providers within TurkTelekom. You can see this route redirection for yourself, here and here.
Turkey’s 25th and current Prime Minister, Recep Tayyip Erdoğan, has publicly and repeatedly expressed his dislike of social media, instructing various sites to be blocked. The current attempt to curtail this important medium began on March 21st via DNS poisoning of Twitter by Turkish ISPs, probably trying to implement the government-mandated ban in a minimally invasive way.
— Dyn Research (@DynResearch) March 21, 2014
But Turkish Internet users learned how to change the DNS settings on their smartphones and laptops to use international providers, such as Google DNS resolvers at 188.8.131.52 and 184.108.40.206 or Level 3’s at 220.127.116.11 and 18.104.22.168. Such arcane strings of digits were found scrawled on city walls and the technically savvy population quickly got the message.
As a result, Twitter’s popularity in Turkey only increased. The next step was to block the IP addresses of Twitter itself, which happened on March 22nd.
— Dyn Research (@DynResearch) March 22, 2014
Then on March 27th, YouTube’s domain was also poisoned. YouTube was first blocked in Turkey all the way back in 2007, a ban that was ultimately lifted years later. But as of this writing, the corresponding IP addresses are still available from within Turkey. So as with the initial ban of Twitter, if Turkish users can find the correct YouTube IP addresses, they will be able to reach this site.
Renesys confirms partial DNS blocking of http://t.co/6UYg7anD3j in Turkey
— Dyn Research (@DynResearch) March 27, 2014
But then on March 29th, finding the correct IP addresses of banned domains suddenly got a bit harder. TurkTelecom, for example, started hijacking (via BGP routing) both Google’s and Level 3’s DNS servers.
.@TelecomixTurkey Renesys confirms TurkTelecom now hijacking Google/Level3 DNS: 22.214.171.124, 126.96.36.199, 188.8.131.52, etc. Bogus DNS answers
— Dyn Research (@DynResearch) March 29, 2014
As shown in the graphic below, we observed this change via downstream customers of TurkTelecom as it was implemented on Saturday, one day before local Turkish elections.
Now when Turkish users seemingly ask a Google DNS server for YouTube’s address, they get the IP address of a Turkish government site (184.108.40.206), explaining the ban:
Here is the tail end of a traceroute to 220.127.116.11 from Turkey before the route hijack of Google.
|5||18.104.22.168||Frankfurt am Main||Germany||101.998|
|6||22.214.171.124||Frankfurt am Main||Germany||65.962|
|7||126.96.36.199||Frankfurt am Main||Germany||62.7|
|8||188.8.131.52||Frankfurt am Main||Germany||62.645|
And here is that same traceroute moments after the hijack.
Notice that, after the hijack, the fake Google answered in under 1ms, but before these shenanigans, the presumably real Google took over 70ms. Now Turkish Internet users, like those in China operating behind the Great Firewall, cannot be sure who is providing answers to their DNS queries. Is it the intended provider or some masquerading intermediary? The only clues are provided by the speed of light in fiber and knowledge of Internet business practices.
Google Global Cache nodes (https://t.co/vmhWWYV5PJ) are in Iraq, Gaza, Armenia, Cyprus, Greece, Somaliland, … but not Turkey
— Dyn Research (@DynResearch) March 28, 2014
Google doesn’t even have caching servers in Turkey to provide better local service, despite having them in 135 other countries. So they probably aren’t hosting their DNS servers in Turkey either. Thus, a legitimate Google owned and operated IP address could never respond to a Turkish user in under 1ms. While there are many global DNS providers who are not currently subject to this treatment, the easily remembered IP addresses for Google and Level 3 servers should now be considered suspect from within Turkey.
The Internet service providers in Turkey are in a difficult position. The government did not instruct them to block Google or Level 3 DNS servers, and in fact you can always check out the mandated blocks on the government’s own website. The government told them to block Twitter and then YouTube. The providers are seemingly trying to implement the ban in small incremental steps that still satisfy the letter of the law. Providers want the Internet to work — until someone intervenes legally. It’s in their business interest to bring content to their customers. So the fact that these blocks were initially so porous is no accident.
The real damage may come in the years ahead if businesses decide to invest less in Turkey because of the uncertainty around the free flow of information. While social media sites are not necessarily central to many business operations, if Twitter and YouTube can be blocked today, what about Gmail or Dropbox tomorrow? As Egypt probably learned in 2011, tampering with the Internet is not the best way to build an economy in an Internet-dependent world. To bring clarity to the cloud and help enterprises manage, monitor and troubleshoot their Internet delivery, we built our new Internet Intelligence offering, which we’ll be demoing next week at Interop in Las Vegas.