In RIPE Atlas we see latencies to Google's 126.96.36.199 DNS resolver service drop in Turkey. We expect this is due to hijacking of the 188.8.131.52 service. Our measurements show a timeline of these events. Note that even when the Twitter ban had been lifted, RIPE Atlas still saw fake 184.108.40.206 DNS service active in Turkey. In the evening of 7 April the situation returned to normal.
We see decreased latencies for the majority of RIPE Atlas probes in Turkey, starting around midnight of 29 March 2014 (UTC). This could be caused by a routing hijack of 220.127.116.11, as reported by Stéphane Bortzmeyer and BGPMon . BGPMon reports the hijack starting at around 9 UTC, the event we see in our data started 9 hours earlier, around midnight. From what we see today, this event seems to be ongoing.
The figure below shows the latency drops. The latencies drop to less then 10 ms for a couple of probes. Given first mile latency and speed of light constraints this means that whatever picks up the phone and responds to 18.104.22.168 is within Turkey. So either Google has started serving 22.214.171.124 from Turkey, or, more likely, the data from RIPE Atlas points towards the existence of a fake 126.96.36.199 service within Turkey.
Figure 1: Latencies to 188.8.131.52 from RIPE Atlas probes in Turkey. Each colored line represents a single RIPE Atlas probe.
It is interesting to note that the latencies don't go down for all the vantage points we have in Turkey. Let's assume for the moment that the latency drops we see are caused by an attempt to censor Google DNS service. The fact that not all vantage points see lower latencies could indicate that not all networks in Turkey are affected by this attempt to censorship. We also see a drop in latencies in the evening of 21 March 2014, which correlates with earlier reports of Google DNS service censoring. The latencies for this event return to normal in the morning of 22 March, and seem to be limited to fewer RIPE Atlas probes.
In order to protect the network operators of networks that don't seem to implement this censorship from repercussions, we will not name the specific networks where we don't see meddling with Google's DNS service.
We didn't see evidence of an 184.108.40.206/32 host-route or 220.127.116.11/24 being diverted via Turkish networks in our Routing Information Service (RIS) data.
If the reports that only a handful of open DNS services are blocked are true, tech-savy Internet users in Turkey could start running a DNS resolver on their own computer and be able to use a regular and (for now) uncensored Internet without having to resort to using VPNs or Tor.
UPDATE (2014-04-04 7am UTC):
RIPE Atlas still sees the low latency 18.104.22.168-DNS-service active for a majority of vantage points in Turkey, as can be seen in the figure below. As of 3 April 15:14:09 (UTC) we see this fake-22.214.171.124 service stopped redirecting Twitter-users towards an IP address in the Turk Telekom network (126.96.36.199) and we now see real Twitter IP addresses again for all our vantage points in Turkey that do lookups for the hostname twitter.com .
This means that, despite lifting the ban on Twitter in Turkey yesterday, the fake 188.8.131.52 DNS service remains in place as a potential censorship instrument. It still can be used to intercept and potentially redirect traffic of Internet users in Turkey who use this Google DNS service.
Figure 2: Latencies to 184.108.40.206 from RIPE Atlas probes in Turkey. Each colored line represents a single RIPE Atlas probe.
UPDATE (2014-04-08 1:40pm UTC):
Latencies to 220.127.116.11 have gone up to normal levels again in the evening of 7 April, as can be seen in Figure 3.
Figure 3: Latencies to 18.104.22.168 from RIPE Atlas probes in Turkey. Each colored line represents a single RIPE Atlas probe.
Looking at traceroute data we see what looks like a normal path to the Google 22.214.171.124 public DNS service again, for instance see the tail end of this traceroute:
4 126.96.36.199 9121 ulus-t2-1-ulus-t3-4.turktelekom.com.tr.203.212.81.in-addr.arpa [7.387, 8.945, 24.101]
5 188.8.131.52 9121 incesu-t2-2-ulus-t2-1.turktelekom.com.tr.197.212.81.in-addr.arpa [8.07, 7.761, 7.876]
6 184.108.40.206 15169 [84.286, 84.061, 82.204]
7 220.127.116.11 15169 [86.991, 86.506, 87.646]
8 18.104.22.168 15169 [89.665, 101.774, 85.122]
9 22.214.171.124 15169 [87.54, 90.07, 87.654]
10 * * *
11 126.96.36.199 15169 google-public-dns-a.google.com [86.865, 90.175, 87.613]
Specifically, the trace shows multiple hops in AS15169 and latencies are at pre-event levels. It looks like all RIPE Atlas probes in Turkey once again see the real 188.8.131.52 service again.