Turkey Hijacking IP addresses for popular Global DNS providers
At BGPmon we see numerous BGP hijacks every single day, some are interesting because of the size and scale of the hijack or as we’ve seen today because of the targeted hijacked prefixes.
It all started last weekend when the Turkish president ordered the censorship of twitter.com. This started with a block of twitter by returning false twitter IP addresses by Turk Telekom DNS servers. Soon users in Turkey discovered that changing DNS providers to Google DNS or OpenDNS was a good method of bypassing the censorship.
But as of around 9am UTC today (Saturday March 29) this changed when Turk Telekom started to hijack the IP address for popular free and open DNS providers such as Google’s 18.104.22.168, OpenDNS’ 22.214.171.124 and Level3’s 126.96.36.199.
Using the Turk Telekom looking glass we can see that AS9121 (Turk Telekom) has specific /32 routes for these IP addresses. Since this is the most specific route possible for an IPv4 address, this route will always be selected and the result is that traffic for this IP address is sent to this new bogus route.
Turk Telekom went one step further, instead of null routing this IP address they brought up servers with the IP addresses of the hijacked DNS servers and are now pretending to be these DNS servers. These new fake servers are receiving traffic for 188.8.131.52 and other popular DNS providers and are answering DNS queries for the incoming DNS requests. One of the possible reasons for impersonating these DNS providers instead of just null routing traffic to these DNS providers is that they did not want to break Internet connectivity for the significant number of Turkish users that are using these popular DNS servers.
It’s likely that Turk Telekom decided to hijack these DNS servers in an effort to block access to youtube which has been ordered to be blocked as of earlier this week. Since they now receive all queries sent to free and open DNS servers they can implement the censorship on the DNS levels and now with the hijack even on DNS servers they normally do not control. The example below shows an example DNS lookup for youtube.com at 184.108.40.206 from a machine in Turk Telekom.
The output above shows that IP address returned by the ‘fake’ Google DNS server on 220.127.116.11 is 18.104.22.168. This IP is a machine on Turk Telekom and not a real Youtube server. Interestingly the returned IP is the same IP address where we’ve seen Twitter.com traffic for users in Turkey redirected to since last week.
The current situation is concerning and we don’t see this type of hijacking for DNS network very much, the only note worthy exception is China where we’ve observed this several times before. Not only is Turk Telekom hijacking the IP addresses of popular DNS servers, intercepting traffic, censoring websites at will, it also has easy access to all queries being sent to these servers which allows for easy logging and recording without users noticing.