Internet Performance Delivered right to your inbox

Turkish Internet Censorship Takes a New Turn

Internet censorship in Turkey took a new and ominous turn yesterday. In order to better seal off access to social media sites like YouTube and Twitter, the incumbent TurkTelecom began hijacking the IP address space of public DNS resolvers like those of Google. This allows TurkTelecom servers to masquerade as Google DNS servers, returning whatever answers they want. Under normal circumstances, such queries would have been destined for servers outside the country, which is how Turkish users were circumventing the ban on YouTube imposed earlier this week. However, now local users of these global DNS services are surreptitiously redirected to alternate providers within TurkTelekom. You can see this route redirection for yourself, here and here.

Recap

Turkey’s 25th and current Prime Minister, Recep Tayyip Erdoğan, has publicly and repeatedly expressed his dislike of social media, instructing various sites to be blocked. The current attempt to curtail this important medium began on March 21st via DNS poisoning of Twitter by Turkish ISPs, probably trying to implement the government-mandated ban in a minimally invasive way.

But Turkish Internet users learned how to change the DNS settings on their smartphones and laptops to use international providers, such as Google DNS resolvers at 8.8.8.8 and 8.8.4.4 or Level 3’s at 4.2.2.1 and 4.2.2.2. Such arcane strings of digits were found scrawled on city walls and the technically savvy population quickly got the message.

twitter-turkey-googledns

As a result, Twitter’s popularity in Turkey only increased. The next step was to block the IP addresses of Twitter itself, which happened on March 22nd.

Then on March 27th, YouTube’s domain was also poisoned. YouTube was first blocked in Turkey all the way back in 2007, a ban that was ultimately lifted years later. But as of this writing, the corresponding IP addresses are still available from within Turkey. So as with the initial ban of Twitter, if Turkish users can find the correct YouTube IP addresses, they will be able to reach this site.

But then on March 29th, finding the correct IP addresses of banned domains suddenly got a bit harder. TurkTelecom, for example, started hijacking (via BGP routing) both Google’s and Level 3’s DNS servers.

As shown in the graphic below, we observed this change via downstream customers of TurkTelecom as it was implemented on Saturday, one day before local Turkish elections.

turkey_google_hijack

Now when Turkish users seemingly ask a Google DNS server for YouTube’s address, they get the IP address of a Turkish government site (195.175.254.2), explaining the ban:

nslookup

Here is the tail end of a traceroute to 8.8.8.8 from Turkey before the route hijack of Google.

3  195.175.172.72  TTnetTurkTelekom  Ankara  Turkey 7.312
4  212.156.108.82  TTnetTurkTelekom  Etimesgut  Turkey 2.45
5  72.14.217.118  Google  Frankfurt am Main  Germany 101.998
6  209.85.240.160  Google  Frankfurt am Main  Germany 65.962
7  209.85.241.212  Google  Frankfurt am Main  Germany 62.7
8  209.85.254.114  Google  Frankfurt am Main  Germany 62.645
9  * 0
10  8.8.8.8  Google DNS 71.359

 

And here is that same traceroute moments after the hijack.

3  195.175.172.72  TTnetTurkTelekom  Ankara  Turkey 3.566
4  * 0
5  81.212.29.238  TurkTelekom  Çukurca  Turkey 1.887
6  8.8.8.8  Google DNS 0.831

 

Notice that, after the hijack, the fake Google answered in under 1ms, but before these shenanigans, the presumably real Google took over 70ms. Now Turkish Internet users, like those in China operating behind the Great Firewall, cannot be sure who is providing answers to their DNS queries. Is it the intended provider or some masquerading intermediary? The only clues are provided by the speed of light in fiber and knowledge of Internet business practices.

Google doesn’t even have caching servers in Turkey to provide better local service, despite having them in 135 other countries. So they probably aren’t hosting their DNS servers in Turkey either. Thus, a legitimate Google owned and operated IP address could never respond to a Turkish user in under 1ms. While there are many global DNS providers who are not currently subject to this treatment, the easily remembered IP addresses for Google and Level 3 servers should now be considered suspect from within Turkey.

Conclusions

The Internet service providers in Turkey are in a difficult position. The government did not instruct them to block Google or Level 3 DNS servers, and in fact you can always check out the mandated blocks on the government’s own website. The government told them to block Twitter and then YouTube. The providers are seemingly trying to implement the ban in small incremental steps that still satisfy the letter of the law. Providers want the Internet to work — until someone intervenes legally. It’s in their business interest to bring content to their customers. So the fact that these blocks were initially so porous is no accident.

The real damage may come in the years ahead if businesses decide to invest less in Turkey because of the uncertainty around the free flow of information. While social media sites are not necessarily central to many business operations, if Twitter and YouTube can be blocked today, what about Gmail or Dropbox tomorrow? As Egypt probably learned in 2011, tampering with the Internet is not the best way to build an economy in an Internet-dependent world. To bring clarity to the cloud and help enterprises manage, monitor and troubleshoot their Internet delivery, we built our new Internet Intelligence offering, which we’ll be demoing next week at Interop in Las Vegas.


Share Now

Whois: Earl Zmijewski

Earl Zmijewski is a Senior Director, Data Analytics at Oracle Dyn Global Business Unit, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.