Turkey Hijacking IP addresses for popular Global DNS providers

Posted by Andree Toonk - March 29, 2014 - Hijack, News and Updates - 26 Comments
At BGPmon we see numerous BGP hijacks every single day, some are interesting because of the size and scale of the hijack or as we’ve seen today because of the targeted hijacked prefixes.  It all started last weekend when the Turkish president ordered the censorship of twitter.com. This started with a block of twitter by returning false twitter IP addresses by Turk Telekom DNS servers.  Soon users in Turkey discovered that changing DNS providers to Google DNS or OpenDNS was a good method of bypassing the censorship. But as of around 9am UTC today (Saturday March 29) this changed when Turk Telekom started to hijack the IP address for popular free and open DNS providers such as Google’s 8.8.8.8, OpenDNS’ 208.67.222.222 and Level3’s 4.2.2.2. BGP hijack Using the Turk Telekom looking glass we can see that AS9121 (Turk Telekom) has specific /32 routes for these IP addresses. Since this is the most specific route possible for an IPv4 address, this route will always be selected and the result is that traffic for this IP address is sent to this new bogus route.
Turk Telekom route server displaying the hijacked route

Turk Telekom route server displaying the hijacked route

Intercepting traffic Turk Telekom went one step further, instead of null routing this IP address they brought up servers with the IP addresses of the hijacked DNS servers and are now pretending to be these DNS servers.  These new fake servers are receiving traffic for 8.8.8.8 and other popular DNS providers and are answering DNS queries for the incoming DNS requests.  One of the possible reasons for impersonating these DNS providers instead of just null routing traffic to these DNS providers is that they did not want to break Internet connectivity for the significant number of Turkish users that are using these popular DNS servers. Youtube It’s likely that Turk Telekom decided to hijack these DNS servers in an effort to block access to youtube which has been ordered to be blocked as of earlier this week. Since they now receive all queries sent to free and open DNS servers they can implement the censorship on the DNS levels and now with the hijack even on DNS servers they normally do not control. The example below shows an example DNS lookup for youtube.com at 8.8.8.8 from a machine in Turk Telekom.
DNS lookup at 8.8.8.8 using RIPE Atals

DNS lookup at 8.8.8.8 using RIPE Atlas

The output above shows that IP address returned by the ‘fake’ Google DNS server on 8.8.8.8 is 195.175.254.2. This IP is a machine on Turk Telekom and not a real Youtube server. Interestingly the returned IP is the same IP address where we've seen Twitter.com traffic for users in Turkey redirected to since last week. Censorship The current situation is concerning and we don’t see this type of hijacking for DNS network very much, the only note worthy exception is China where we’ve observed this several times before.  Not only is Turk Telekom hijacking the IP addresses of popular DNS servers, intercepting traffic, censoring websites at will, it also has easy access to all queries being sent to these servers which allows for easy logging and recording without users noticing.

26 comments

Leave a Reply

Your email address will not be published. Required fields are marked *