Turkish Telecoms Intercept Name-Server Traffic Amid Blackout

A Turkish man tries to connect to YouTube in a cafe in Istanbul on March 27. European Pressphoto Agency

News Comes After Turkish Government Blocked YouTube and Twitter

By SAM SCHECHNER
The Wall Street Journal

Turkish telecom companies are intercepting traffic sent to public Internet address books run by Google Inc. and other U.S. firms, closing a major loophole Turkish people have used to circumvent a government blackout on social media, the U.S. companies said.

In recent days, Turkish telecoms across the country have started intercepting and redirecting user requests sent to public address books—known as domain-name system servers—run by Google, Level 3 Communications Inc. and OpenDNS, the three companies said Monday.

A Turkish man tries to connect to YouTube in a cafe in Istanbul on March 27. European Pressphoto Agency
A Turkish man tries to connect to YouTube in a cafe in Istanbul on March 27. European Pressphoto Agency

Many of the requests are being sent to partially state-owned Turk Telekomunikasyon AS, which is using its own machines to masquerade as the U.S. firms’ name servers, allowing the former monopoly to redirect or block Web users’ access to sites across the Internet without users’ knowledge, Internet monitoring firm Renesys said.

Spokesmen for Turkey’s communications ministry and for Turk Telekomunikasyon’s internet-service provider didn’t respond to requests for comment.

The move to intercept requests sent to name servers marks an apparent escalation of the government’s efforts to block access to social media, by expanding the blackout into the broader plumbing of the Internet. A name server is like an Internet phone book translating Web domain names into numeric addresses of the type used across the Internet.

The news comes after the Turkish government blocked YouTube and Twitter in recent weeks over what it said were false reports aimed at toppling the government—a move that opposition members described as brazen attempts to muzzle dissent.

“Hijacking occurs, but is usually done by cybercriminals to make you go to a fake website,” said Zeynep Tufekci, an assistant professor at the School of Information at the University of North Carolina. “This was quite an extreme thing to do.”

The move shuts down one of the most popular ways Turkish Internet users have had to bypass the blackout. Initially, the government blackout was implemented by telling Turkish Internet-service providers to use their own name servers to redirect any requests for the address Twitter.com to another address explaining the site was blocked, Internet traffic experts said last week.

That led many people in Turkey to turn to the servers run by Google, Level 3, OpenDNS and others, which still sent users to the correct addresses. Such a change can be made with a few tweaks to a computer’s network settings. Another method of sidestepping the ban, using so-called “virtual private networks” or VPNs, is unaffected by the name-server interception, experts said.

The interception leaves the companies targeted with little way to respond, Internet experts said, because user requests to use their servers never arrive at their destination. “Unfortunately we can’t control the routing policy within someone else’s network,” said Dale Drew, chief security officer at Level 3.

“Imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service,” Google said in a blog post.

Some technical experts said the move to redirect name-server requests could be motivated by a desire to log users’ Internet activity. But others played down that idea Monday, saying that Internet-service providers already have means to log such information without spoofing name servers.

“They can already do whatever they want,” said Doug Madory, a senior analyst for Renesys. “They already have all the traffic.”

It is common for many countries to redirect traffic from some Internet addresses, for reasons ranging from copyright violations to child pornography, traffic experts said. But it is rare for the service providers to masquerade as a name server as part of an Internet-blocking scheme, the experts and companies involved said.

“This hijacking of our traffic represents an escalation of censorship and data manipulation by the Turkish government that we have not ever seen previously anywhere outside of China,” OpenDNS Chief Executive David Ulevitch said in a statement.

—Alistair Barr and Yeliz Candemir contributed to this article.