Turkish Government is hijacking the IP for popular DNS providers

Pierluigi Paganini March 31, 2014

The Turkish Government ordered to Turk Telekom to hijack the IP address for popular free and open DNS providers such as Google’s 8.8.8.8.

This is a sad moment for friends in Turkey, the Government  is under the illusion that censoring the media will be able to suppress the thought of those who disagree.

A few days ago Twitter was obscured in Turkey, the popular social media is dangerous and the Arab Spring is the demonstration, these platforms could be used to spread messages instantaneously to a large audience. The Turkish Government decided to ban Twitter after the diffusion of an audio clip about the corruption of Turkey Prime Minister Erdoğan through YouTube and Twitter. Erdoğan was instructing his son to dispose of large amounts of cash during a law enforcement investigation.

In any dictatorship, regimes take complete control of television and the press, but it is unlikely that they can easily influence the participation of the population in the major social media.

The decision to apply a censorship acting via the DNS of the national ISP was very stupid, because population started using Google’s DNS service, in this way Twitter was easily accessible. Turkish Government decided to make a step forward to definitively ban the “hostile” media, he ordered to block the Google DNS service.

The last Google Transparency Report also referred traffic interruption caused by the Turkish Government as shown in the following image.

Turkish Government Censorship

Yesterday Google claimed that principal Turkish ISPs, including SuperOnline and TTNet, have set up servers that are masquerading as Google’s DNS service to block the services used by the opponents like YouTube and Twitter.

“We have received several credible reports and confirmed with our own research that Google’s Domain Name System (DNS) service has been intercepted by most Turkish ISPs (Internet Service Providers).” stated Google official statement.

Google DNS hijacked Turkish ISPs
On Saturday, exponents of the government accused YouTube to have spread a recording related to a government official discussing possible military action in Syria. 

BGPMON published an interesting analysis of what is happening in the country where the Turkish Government is hijacking IP addresses for popular global dns providers.

The traffic is redirected to a bogus route, but instead of null routing IP addressed of banned social media it was hijacked to servers controlled by the Turkish Goverment that are pretending to be legitimate DNS servers.

“These new fake servers are receiving traffic for 8.8.8.8 and other popular DNS providers and are answering DNS queries for the incoming DNS requests.  One of the possible reasons for impersonating these DNS providers instead of just null routing traffic to these DNS providers is that they did not want to break Internet connectivity for the significant number of Turkish users that are using these popular DNS servers.” stated BGPMON.

Turkish Government Censorship 2

The situation is concerning because with a similar techniques the government could also serve surveillance malware and in the worst scenario he could be interested to track and persecute the single citizens.I close this post inviting you to give a look to the graph related to the number of Tor users which started to use the anonymizing network after the media repression operated by the Turkish Government, that number is more than doubled evidencing the critic moment for the freedom of expression of Turkist population.

The sad reality is that Turk Telekom is hijacking the IP addresses of popular DNS servers, intercepting traffic and the consequences could be unpredictable for Turkish population.

Pierluigi Paganini

(Security Affairs –  Turkish Government, Censorship)



you might also like

leave a comment