Turkish Internet Censorship Takes a New Turn

Internet censorship in Turkey took a new and ominous turn yesterday. In order to better seal off access to social media sites like YouTube and Twitter, the incumbent TurkTelecom began hijacking the IP address space of public DNS resolvers like those of Google. This allows TurkTelecom servers to masquerade as Google DNS servers, returning whatever answers they want. Under normal circumstances, such queries would have been destined for servers outside the country, which is how Turkish users were circumventing the ban on YouTube imposed earlier this week. However, now local users of these global DNS services are surreptitiously redirected to alternate providers within TurkTelekom. You can see this route redirection for yourself, here and here.

Recap

Turkey’s 25th and current Prime Minister, Recep Tayyip Erdoğan, has publicly and repeatedly expressed his dislike of social media, instructing various sites to be blocked. The current attempt to curtail this important medium began on March 21st via DNS poisoning of Twitter by Turkish ISPs, probably trying to implement the government-mandated ban in a minimally invasive way.

But Turkish Internet users learned how to change the DNS settings on their smartphones and laptops to use international providers, such as Google DNS resolvers at 8.8.8.8 and 8.8.4.4 or Level 3′s at 4.2.2.1 and 4.2.2.2. Such arcane strings of digits were found scrawled on city walls and the technically savvy population quickly got the message.

twitter-turkey-googledns

As a result, Twitter’s popularity in Turkey only increased. The next step was to block the IP addresses of Twitter itself, which happened on March 22nd.

Then on March 27th, YouTube’s domain was also poisoned. YouTube was first blocked in Turkey all the way back in 2007, a ban that was ultimately lifted years later. But as of this writing, the corresponding IP addresses are still available from within Turkey. So as with the initial ban of Twitter, if Turkish users can find the correct YouTube IP addresses, they will be able to reach this site.

But then on March 29th, finding the correct IP addresses of banned domains suddenly got a bit harder. TurkTelecom, for example, started hijacking (via BGP routing) both Google’s and Level 3′s DNS servers.

As shown in the graphic below, we observed this change via downstream customers of TurkTelecom as it was implemented on Saturday, one day before local Turkish elections.

turkey_google_hijack

Now when Turkish users seemingly ask a Google DNS server for YouTube’s address, they get the IP address of a Turkish government site (195.175.254.2), explaining the ban:

nslookup

Here is the tail end of a traceroute to 8.8.8.8 from Turkey before the route hijack of Google.

3  195.175.172.72  TTnetTurkTelekom  Ankara  Turkey 7.312
4  212.156.108.82  TTnetTurkTelekom  Etimesgut  Turkey 2.45
5  72.14.217.118  Google  Frankfurt am Main  Germany 101.998
6  209.85.240.160  Google  Frankfurt am Main  Germany 65.962
7  209.85.241.212  Google  Frankfurt am Main  Germany 62.7
8  209.85.254.114  Google  Frankfurt am Main  Germany 62.645
9  * 0
10  8.8.8.8  Google DNS 71.359

And here is that same traceroute moments after the hijack.

3  195.175.172.72  TTnetTurkTelekom  Ankara  Turkey 3.566
4  * 0
5  81.212.29.238  TurkTelekom  Çukurca  Turkey 1.887
6  8.8.8.8  Google DNS 0.831

Notice that, after the hijack, the fake Google answered in under 1ms, but before these shenanigans, the presumably real Google took over 70ms. Now Turkish Internet users, like those in China operating behind the Great Firewall, cannot be sure who is providing answers to their DNS queries. Is it the intended provider or some masquerading intermediary? The only clues are provided by the speed of light in fiber and knowledge of Internet business practices.

Google doesn’t even have caching servers in Turkey to provide better local service, despite having them in 135 other countries. So they probably aren’t hosting their DNS servers in Turkey either. Thus, a legitimate Google owned and operated IP address could never respond to a Turkish user in under 1ms. While there are many global DNS providers who are not currently subject to this treatment, the easily remembered IP addresses for Google and Level 3 servers should now be considered suspect from within Turkey.

Conclusions

The Internet service providers in Turkey are in a difficult position. The government did not instruct them to block Google or Level 3 DNS servers, and in fact you can always check out the mandated blocks on the government’s own website. The government told them to block Twitter and then YouTube. The providers are seemingly trying to implement the ban in small incremental steps that still satisfy the letter of the law. Providers want the Internet to work — until someone intervenes legally. It’s in their business interest to bring content to their customers. So the fact that these blocks were initially so porous is no accident.

The real damage may come in the years ahead if businesses decide to invest less in Turkey because of the uncertainty around the free flow of information. While social media sites are not necessarily central to many business operations, if Twitter and YouTube can be blocked today, what about Gmail or Dropbox tomorrow? As Egypt probably learned in 2011, tampering with the Internet is not the best way to build an economy in an Internet-dependent world. To bring clarity to the cloud and help enterprises manage, monitor and troubleshoot their Internet delivery, we built our new Internet Intelligence offering, which we’ll be demoing next week at Interop in Las Vegas.

0 comments
Observer
Observer

Turkey was been given the master IP keys and will have ICANN's decentralization to control the IPs for Europe, Middle East, and Africa.  This should cause everyone to pause!!  There is a small window of opportunity to be proactive in changing the location away from Turkey. (link below)


One needs to imagine what this implies!!  Imagine Germany, Iran, France, Israel, Egypt or any other country trying to track down information IP related.  The keys for this will be kept in Turkey under MIT control.  Since the start of the Gezi protests, Turkey is getting better at using their (mostly European) software to analyze the internet, emails, twitter, and all communications.  Observe the journalists, judges, students, etc since this time.


MIT (Turkish intelligence) received new powers in February. "Undercover agents hired by the state, those who assist with MİT’s duties and activities, or those who benefited from intelligence services, will not be held responsible for their duties, activities and assistance, regardless of whether they are public servants or not, according to further aspects of the latest bill" (link below)

The ICANN move needs to be RELOCATED, cancelled, or suspended.


I encourage people to also read the victory speech today by the PM of Turkey.


Today's PM Election speech: http://www.hurriyetdailynews.com/full-text-turkish-pm-erdogans-post-election-balcony-speech.aspx?pageID=238&nID=64341&NewsCatID=338

ICANN Turkey: http://www.hurriyetdailynews.com/internet-domain-name-watchdog-icann-to-launch-a-huge-regional-hub-in-turkey.aspx?pageID=238&nID=43083&NewsCatID=374


MIT: http://www.hurriyetdailynews.com/turkish-govt-to-expand-powers-of-national-intelligence-agency.aspx?pageID=238&nID=62735&NewsCatID=338


Trackbacks

  1. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  2. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  3. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  4. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  5. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  6. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  7. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as […]

  8. […] Saturday, community monitoring companies BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  9. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  10. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  11. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  12. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  13. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  14. […] monitoring firm Renesys said Sunday major internet provider Level 3’s DNS service was also […]

  15. […] monitoring firm Renesys said Sunday major internet provider Level 3’s DNS service was also […]

  16. […] monitoring firm Renesys said Sunday major internet provider Level 3’s DNS service was also […]

  17. […] monitoring firm Renesys said Sunday major internet provider Level 3’s DNS service was also […]

  18. […] monitoring firm Renesys said Sunday major internet provider Level 3’s DNS service was also […]

  19. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  20. […] trying to implement the ban in small incremental steps that still satisfy the letter of the law,” wrote Emil Zmijewski, VP and general manager of network intelligence provider […]

  21. […] monitoring firm Renesys said Sunday major internet provider Level 3’s DNS service was also […]

  22. […] trying to implement the ban in small incremental steps that still satisfy the letter of the law,” wrote Emil Zmijewski, VP and general manager of network intelligence provider […]

  23. […] monitoring firm Renesys said Sunday major internet provider Level 3’s DNS service was also […]

  24. […] monitoring organisation Renesys said Sunday vital internet provider Level 3’s DNS use was also […]

  25. […] monitoring organisation Renesys said Sunday vital internet provider Level 3’s DNS use was also […]

  26. […] 3 sunt în mod clandestin redirecționați către furnizori alternativi din cadrul TurkTelekom, potrivit unui articol de pe blogul companiei […]

  27. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  28. […] monitoring firm Renesys said Sunday major internet provider Level 3’s DNS service was also […]

  29. […] trying to implement the ban in small incremental steps that still satisfy the letter of the law,” wrote Emil Zmijewski, VP and general manager of network intelligence provider […]

  30. […] 30 March 2014 | Internet censorship in Turkey took a new and ominous turn yesterday. In order to better seal off access to social media sites like YouTube and Twitter, the incumbent TurkTelecom began hijacking the IP address space of public DNS resolvers like those of Google. This allows TurkTelecom servers to masquerade as Google DNS servers, returning whatever […]  […]

  31. […] Başkan Yardımcısı Earl Zmijewski, şirket blogu üzerinden yaptığı açıklamada “Google ya da Level 3 DNS’lerini kullanan kişiler ‘gizli […]

  32. […] noticed by network monitoring firms BGPMon and Renesys, internet users in Turkey who have changed their DNS settings to Google DNS (or a similar service) […]

  33. […] 网络监测公司BGPMon和Renesys报告,土耳其采用了新的方法屏蔽社交网络:劫持Google DNS。土耳其电讯公司开始重路由发送到国外DNS服务的请求,其中包括Google DNS。这意味着土耳其国内的网民如果试图利用Google DNS等DNS服务绕过审查访问Twitter或YouTube,他们的请求都会被定向到政府控制的DNS服务器,在这些DNS服务器,Twitter和YouTube都遭到了屏蔽。BGPMon的Andree Toonk说,这种类型的DNS劫持以前只在中国观察到发生过几次。VPN和Tor尚未受到影响。 This article is automatically posted by WP-AutoPost(The WordPress AutoBlog Plugin). […]

  34. […] Renesys, which security experts consider a reliable source for information about the plumbing of the internet, says that other free DNS services have also been intercepted. […]

  35. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  36. […] monitoring firm Renesys said Sunday major internet provider Level 3′s DNS service was also […]

  37. […] BGPMon 和 Renesys 报告,土耳其采用了新的方法屏蔽社交网络:劫持 Google […]

  38. […] BGPMon 和 Renesys 报告,土耳其采用了新的方法屏蔽社交网络:劫持 Google […]

  39. […] BGPMon 和 Renesys 报告,土耳其采用了新的方法屏蔽社交网络:劫持 Google […]

  40. […] BGPMon 和 Renesys 报告,土耳其采用了新的方法屏蔽社交网络:劫持 Google […]

  41. […] a segnalare l'intervento dei provider sono anche i servizi di analisi del traffico BGPmon e Renesys: entrambi hanno osservato come provider quali TurkTelecom abbiano fatto leva sul Border Gateway […]

  42. […] monitoring firm Renesys said Sunday major internet provider Level 3’s DNS service was also […]

  43. […] addresses as well as those of other open public DNS providers as well.  Over on the Renesys Blog, Earl Zmijewski shared their observations including showing precisely when the hijacking […]

  44. […] anden international DNS-tjeneste fra Level 3 har oplevet samme spærring, skriver Renesys i et længere indlæg, der også peger på en måde at spotte en ’forgiftet’ DNS. Efter de falske navneservere kom i […]

  45. […] Engelli sitelere erişmek için ülkemizde sıkça kullanılan DNS değiştirme yöntemi de artık bir çözüm değil, zira ülkemizdeki internet servis sağlayıcıları DNS’leri zehirliyor ve engelli sitelere bu yolla da ulaşmamıza izin vermiyorlar. […]

  46. […] a segnalare l’intervento dei provider sono anche i servizi di analisi del traffico BGPmon e Renesys: entrambi hanno osservato come provider quali TurkTelecom abbiano fatto leva sul Border Gateway […]

  47. […] Turkissa yritettiin varsin epäonnisesti tukahduttaa sosiaalisen median välineitä kuten Youtube ja…. Tämä herättää sen varsin mielenkiintoisen kysymyksen: voiko Internetiä edes kontrolloida? Vaikeina talous aikoina on varsin vaikeaa rakentaa sen rinnalle omaa verkkoaan. Senpä takia kannattaa käyttää tervettä järkeä, ja parantaa/kehittää jokaisen omaa henkilökohtaista tietoturvaansa. […]

  48. […] Saturday, network monitoring firms BGPMon and Renesys both reported the discovery of a new stage in the governmental blocking of social media as Turkish […]

  49. […] und Manipulation des World Wide Web durch Kollaboration der Internet-Provider (ISPs), allen voran die ehemals staatliche Türk Telekom, mit den staatlichen Spionen bzw. Behörden wurde […]

  50. […] been writing the ip address of Google DNS servers as graffiti on walls to help with that.  Renesys reports that , because of this, Twitter’s traffic has gone down and not up since the ban.  So the Prime […]