Google reports new shenanigans in ongoing Turkish internet blockade

Filed Under: Denial of Service, Featured, Google

Turkey goes to the polls today amongst an ongoing brouhaha over internet access.

A week ago, the government blocked access to Twitter.

Apparently, the microblogging site had failed to comply with local court orders for content takedown.

The block certainly seemed to backfire, with numerous stories reporting that Twitter usage in Turkey more than doubled after the ban.

Just how accurate were the "surge in Twitter" stories about Turkey?

As an interesting aside, the surge in twittering in Turkey probably wasn't anywhere near as big as the claims you have seen.

Many stories mention the figure 138%, claiming something along the lines of "an increase in volume of over 138 percent in tweets posted from Turkey before the ban and just after."

That claim, however, and all of those reports, seem to come from a single source, these figures from social media company Brandwatch:

Brandwatch didn't provide the raw data used to draw its graph, but by reading off the numbers as accurately as I could, I came up with this:

I couldn't find an increase of 138% in any of the comparable before-and-after readings in that chart.

The overall increase, however, was 39%, suggesting that Brandwatch has confused an increase by a factor of 138% (i.e. new = 1.38 x old) with an increase of 138% (i.e. new = old + 1.38 x old).

At any rate, Brandwatch's numbers don't show an increase of 138% (well over double), but rather an increase of 38%, or perhaps 39% (just over a third more).

But, doubling in tweets or not, Twitter lovers in Turkey did take to the streets, literally and figuratively.

Graffiti in Istanbul openly promoted the use of Google's free DNS servers, located at the IPv4 addresses 8.8.8.8 and 8.8.4.4:

That's because the easiest way for a country to get its ISPs to block access to a site like twitter.com is to tell them to stop resolving the name of the site in their DNS servers.

Most home users rely on their ISP for access to DNS, the Domain Name System that turns human-style internet names to computer-style numbers.

For example, when you ask your ISP how to find twitter.com, this is what happens.

Your ISP asks the so-called root servers (there are only 13, so a DNS server can easily keep a local list) where to go for authoritative answers for .com; then it asks one of those .com servers to tell it where twitter.com lives; then your ISP tells you the answer.

But the ISP can cheat: when you ask for twitter.com, it can simply pretend it doesn't exist by sending the answer NXDOMAIN, short for "non-existent domain."

That's where bypassing your usual DNS server and using one of Google's free Public DNS servers comes in: Google prides itself on providing unmodified, unfiltered DNS results,

The next step, of course, was for Turkish ISPs to start blocking traffic to Google's servers, giving users one less public source by which to find out where twitter.com lives.

Then, late last week, Turkey started blocking YouTube as well, apparently in an effort to restrict access to a leaked audio recording about possible military intervention in Syria.

And the next move in the block-circumvent-block-circumvent race, claims Google, was yet another layer of active intervention by Turkish ISPs:

We have received several credible reports and confirmed with our own research that Google’s Domain Name System (DNS) service has been intercepted by most Turkish ISPs (Internet Service Providers)...

...But imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service.

Just blocking traffic to 8.8.8.8 and 8.8.4.4 is rather a giveway to anyone who sets their computer to use Google's DNS servers, because DNS simply stops working.

That means that very little will function properly: no websites will be accessible, software updates will probably fail, email and chat won't work, and although you'd technically be "on" the internet, you'd immediately realise you were also as good as cut off from it.

Redirecting DNS traffic to imposter servers is much sneakier.

As far as you can tell, your traffic to 8.8.8.8 is getting there; DNS replies are coming back; and (as suggested by Google above) almost everything seems to be normal.

This is exactly the approach taken by the infamous DNSChanger malware that dominated security news two years ago.

The malware changed your DNS settings and then mostly told the truth, but occasionally stepped in to misdirect your web traffic to fraudulent sites.

→ This video was geared at a particular DNSChanger-related cutoff time, now well past, so its advice is somewhat dated. But it is still an excellent reminder of why DNS is especially important, and how you can be uninfected yet still affected even after you remove malware from your computer.

What to do?

Dealing with DNS subterfuge is surprisingly hard.

Imagine a DNS server that told the truth 999 times out of 1000, but misdirected you to a carefully constructed imposter site once in every 1000 requests.

Would you back yourself to notice?

That's one of the reasons the DNSChanger crooks made millions of dollars out of DNS trickery, though happily for the rest of us, at least some of them were caught.

There are a few things you can to help you avoid trickery:

• Use HTTPS (secure HTTP) connections whenever you can, and double-check the certifcates that come back.

This makes forgery harder.

• If your browser supports certificate pinning, you might want to learn more about it.

A rotten ISP might be able to arrange to have fake certificates issued in other websites' names.

"Pinning" lets websites provide additional information about their certificates, such as who's allowed to sign them, which makes forgery harder yet again.

• Consider learning how to use Tor, an open source anonymising system.

A large number of volunteers around the world allow their computers and bandwidth to be used to bounce around other users' traffic randomly so it emerges onto the internet in some unpredictable spot.

But before you start using Tor, remember that it isn't a panacea.

Firstly, you might be breaking the law in your jurisdiction.

Secondly, what you do with Tor is largely anonymous and therefore confidential (though not entirely so), but the fact that you are using Tor is hard to disguise.

In other words, by taking steps to keep a low profile online, and to avoid surveillance, censorship, or geographical web blocking...

...you may ironically end up drawing attention to yourself.

Image of Turkey flag courtesy of Shutterstock.

, , , , ,

You might like

9 Responses to Google reports new shenanigans in ongoing Turkish internet blockade

  1. we, Turkish citizens, are become professionals about VPN and DNS with the "help" of government or maybe just "Erdogan"

  2. Now you have helpfully show our students how to bypass our Sophos Web Appliance and proxies, who do we need to speak to about a refund?

    • Paul Ducklin · 207 days ago

      I did think three times before talking about Tor. But then I asked myself, "Who am I kidding that I would be giving away the keys to the internet by mentioning it?"

      Just try your favourite search engine with the keywords "anonymous internet."

      Google gives you the Tor Project as the first result. Bing gives you a link to Anonymous (the sort-of hacking sort-of group) at the top, next to a handy list of searches it recommends you try next, namely: Anonymous Internet VPN, Anonymous Internet Search, Anonymous Internet Surfing, Anonymous Internet Browsing, Anonymous Internet Connection, Anonymous Group, How to Be Completely Anonymous Online, and How to Stay Anonymous On the Internet.

      The Tor genie is out of the bottle; the horse has flown the coop; Pandora has opened Windows.

      I think it's important for people to know what Tor is - and more imortant again for them to know what it is not - in the hope that they might grow up to use it wisely if they use it at all.

      I just don't think we can give credible security advice without mentioning tools that can be used for bad as well as good. That would be a bit like trying to teach medical students about analgesia without discussing the opiates.

      After all, a web proxy can be used for inappropriate surveillance; filtering email, as you do to block spam, can be used to acquire data for social engineering; encryption can be used to hide criminal conspiracy or to sneak out company secrets; even scanning for missing patches could be part of a plan to break and enter a network. Yet we mention and recommend all these technologies regularly.

      For what it's worth, the functionality of Tor as an anonymising proxy or VPN has already been listed on sophos.com for ages, together with a link to the Tor Project website, in the section on "Application Control." (Neither there nor on Naked Security, where Tor has been mentioned and explained many times before, do we actually show anyone how to use it.)

      The fact that Tor is listed under "Application Control" means, of course, that you can block the use of the Tor client altogether (meaning no need to try to block the traffic it produces, and meaning that you make your stance on using it perfectly clear) with Sophos's products.

      • Yes, I know and my comment was tongue-in-cheek. As I work in IT in education, I am well aware of our student's capabilities. However, you can't have your cake and eat it. You can't make filtering appliances who's sole purpose is to enable private individuals, organisations and governments to censor what other people may want to see - and then preach free and open internet and explain how to get around filtering! Next you'll be creating viruses just to show how how to make one to get around your AV software. Maybe I exaggerate, but you get my point. You need to be on one side of the fence or the other and not have a leg on either side! :)

        • Paul Ducklin · 206 days ago

          Yes, you're exaggerating. I write extensively about how malware works, for example, to the point of writing articles like Anatomy of an Exploit, where I decompiled the ROP shellcode in an IE attack so people could understand how it works. I write articles like the various Anatomy of a Phish pieces, which - if you were uncharitable - you might say could be used as a source of ideas for people who decided to get into phishing. But none of those articles actually explain how to create the malicious pieces they are built of, any more than this article explains how to use Tor.

          You're also being disingenuous when you describe Sophos's filtering appliance as having the "sole purpose...of censoring what other people may want to see", when you say that my article is about "preaching free and open internet", and that its intent was to "explain how to get around filtering."

          In fact, the reason for mentioning Tor was not "to preach free and open internet" (I'll leave my thoughts on that a mystery), but - if you read the article properly - as part of explaining how you can verify and validate the answers you are getting from DNS. The deal in this case was not censorship in particular, but the DNS interception and modification in general. As I think the article makes clear, this is a profitable trick for cybercrooks; it can be caused by malware yet persist after the malware is removed; and it can be *very* hard to spot. So it is well worth understanding, and knowing how to mitigate.

          (FWIW, you tweeted "Blocking the net should be a crime against humanity. Sanctions now!", linking to a BBC story that mentions Tor as a way around the ban, shortly after tweeting "@Sophos show's how to bypass #Sophos' own web appliances," linking here. So I'm still not sure if you're just winding me up about needing to be on one side of the fence or another...)

          [This thread is now closed]

          • I am against public censorship of the net and have campaigned against censorship for a long time. However, I have a duty of care to protect 14-17 year olds (and vulnerable adults) from accessing porn and similarly offensive material and therefore I undertake censorship of a private network - using your products. That sits ok with me because firstly our students don't have to come here, they can leave and do what they like on their own internet connection and secondly, safeguarding always trumps "rights".

            99% of our 9000 students will not have heard of TOR, but the more it is mentioned, the more will use it and as yet, I have not found a way to block students own devices from running TOR on our network. I applaud your motives, I just think that you haven't considered your audience or the consequences of your link. Maybe none of them will read it anyway ;)

        • Chopper · 206 days ago

          I wish people would stop using the "cake and eat it" card. You can have your cake and eat it, it is your cake you can do what you want with it. What you can't do is "eat your cake and have it"
          Think about it!!

          • Paul Ducklin · 203 days ago

            I think you'll find that in that phrase, "have" is used in the sort of sense of "to have and to hold" in the old-school marriage service. It means "to maintain safe and sound", not merely "to possess." In other words, you can have your cake and then eat it, but once you eat it...

  3. All you are going to do Turkey is have people who learn the skills to defeat your stranglehold. They will find a way to break out and get the information they want. They will become a stronger and more internet savvy populace.

    You cant stop the signal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog