Your Adsl Connection Has Been Hijacked

[Prasert]

This forum is full of complaints about TOT adsl. It's slow, disconnects all the time or is unavailable and so on. Complaining is the easiest thing to do, e.g. posting your aggrevations on ThaiVisa or calling 1100 to vent some anger can be sometimes a real relief, but problems still won't solved.

But I looked further into the current situation and want to show you my findings, and provide some insight into TOT's technical shortcomings. It might help in choosing an ISP for those looking for a new adsl line and maybe some TOT engineer will read this and accept that some farang know better (ouch, that's painful for some Thai).

Everybody who has a landline with ADSL has a router connected to it. The router will make a connection with the DSLAM using the circuit number 1/32 (which is used by TOT). In most cases, this causes few problems since it's just a physical connection between your router and the central box (DSLAM).

Once this connection is established, the router will try to make a PPP connection. It does this by sending a request over the line, and a router should answer. And that's where the majority of all TOT problems start. Many of these routers are extremely slow in responding to these requests. This can have several causes, but in most cases it's due to a CPU load of nearly 100%.

Does TOT know this? It's likely that engineers don't even monitor CPU loads on their equipment so the answer is probably no.

So while the TOT router is way too slow in acknowledging requests, the routers on the customer-side of the line keep sending them out. Since these requests are bridged in TOT's DSLAMs, they finally appear on other lines as well.

So I changed the configuration on my router, telling it to respond and voila, the connection is established between some customer's line and my router. By completing the PPP connection I am now providing this customer with an IP address and thus a working connection.

At this point I can choose to do whatever I want to do with this traffic. I can forward it to the internet while monitoring it and/or changing it. And the TOT-customer remains totally unaware of all this.

I will not provide the technical details on how to achieve this, but here's a screendump of 4 hijacked TOT connections (telephone numbers are striked through):

Monitoring their traffic can be done by sending it through a transparent proxy: (IP addressed removed in this screendump):

The above shows monitor-and-forward but it's also possible to block or modify the traffic.

So how safe is TOT's network? I admit that it requires knowledge to achieve the above, but apart from hijacking adsl connections, the Thai Computer Act requires service providers to do exactly this: monitor and log all the traffic sent over their network. Manipulating it is a criminal offense according to the same law, however the boundaries between what one must do and is forbidden to do is totally unclear.

Incredibly enough, the Thai government worked several month on this Act, telling service providers what to do, but at the same time completely fail to tell them how. So it's not surprising that former state-regulated TOT has no clue at all how to build a reliable and secure infrastructure, providing stable services to their customers.

The shortcomings of the technology used by TOT is what aggrevates many customers, but the root cause of this is the management structure of TOT. Their motto is "Just Pay" after all!

I can imagine that it would be tempting for some people to abuse the information that can be retrieved once you are in control of an information flow. I choose to make others aware of it (but then again, I'm not the CIA, I'm not even American).

The Thai ICT minister already admitted that Cambodia and Vietnam are way ahead of Thailand in IT knowledge. But instead of pressing on blocking websites that end-users are trying to visit, they should focus on their legacy called TOT, which is the biggest example of why Thailand is years behind on neighbouring countries in internet technology.

[wxpwzrd]

Very good information... It will be nice if someone actually had the ability to listen to it and take care of the problems.

[malcolmswaine]

Nice article.

[SoMeOnEnUlL]

Very useful information as usual from you, Prasert.

Cheer!

[Guest Reimar]

Thanks a lot for that info Prasert!

Unfortunate it's not allowed to post the details about HOW! But on the other hand if that would be allowed, someone or some more would do everything to get the most out for them self but also to "screw" the line provider! In the real we shouldn't forget that the whole infrastructure lacks as the humans who operating that systems are lacks on knowledge in some parts.

So it would be fine to keep the post/answers strict on topic under the view that this is an technical thread and NOT one for to use to abuse anything or anyone.

Thanks for the understanding.

[raro]

just saw this one and thanks to the BM who pointed me to this thread. Incredible is the first thought that cam to mind...scary! Really scary!

[Prasert]

Scary - does that apply to the possible hijacking or the management of TOT?

A few months ago a couple of guys demonstrated how to hijack traffic by manipulating BGP tables on core routers. This was done on a very high level in the internet backbones. What I did was on the end-user side, at the end of an ordinary adsl line.

The most scary thing over the last few months was the blocking of port 25 on international servers.

The scary thing here (hardly ever discussed), is that it's actually very easy to make a copy of every mail sent through the only available smtp server. Install linux on a PC, configure sendmail to dump a copy of every email sent through it and voila, you can read everyones email.

But what also can be done, is just making a copy without blocking email traffic. In the same way a transparent proxy works for webtraffic, one could set this up the same way for email traffic.

The only prevention you can take yourself: encryption, like SSL.

[surface]

Did you actually just happen to hijack somebody reading thaivisa forums, or is that your traffic?

[Prasert]

Did you actually just happen to hijack somebody reading thaivisa forums, or is that your traffic?

No, this was traffic coming from one of the TOT lines. I redirected all that traffic to a transparent proxy, which is Squid running on a Linux machine.

[Bernt Santesson]

Hi, Thanks for food information. You talk about ADSL but I have IP Star by TOT and I have had very much problem during Februar! Is it the same reason?

[Prasert]

Satellite doesn't work with ppp connections. Whatever the problem is on IPstar, it's there to stay...

ADSL infrastructures can be copied by Thai engineers from the Western world, as the information is widely available on the net. Satellite however is not widely used by the public (mainly used by oil companies to connect rigs and tankers), which makes troubleshooting and finding solutions a very difficult job for the guys at TOT and CSloxinfo.

[Crushdepth]

Very scary. Is there any way to test or detect if your ADSL has been hijacked like this?

[Johnxxx]

I thank God every minute of the day that I do not have TOT anymore but TT&T with Maxnet. Even if I canceled TOT and paid 1070 Baht for it I was told that I did not cancel and still got charged - I had a receipt with date and time... I was told that I am a problem guy and should leave... I am so shocked and unsure if as farang they can do with you what they want. But it looks like this. Hope that they do not cancel my visa... Even if I am just a guest - I was never a bad one. But this lady at TOT made a mistake and I am guilty now.

Honestly, the biggest nightmare in more than 10 years in Thailand - TOT with all the other problems there. Hope that this is the end for a while. Maxnet is like heaven and 3 Mpbs for 590.

[Prasert]

Very scary. Is there any way to test or detect if your ADSL has been hijacked like this?

That depends on how much effort was put into it. In this case my goal was not to gather information from those lines, I just looked deeper into the infrastructure of TOT and their shortcomings.

But yes, it's a scary thought that someone might see or manipulate your traffic without you knowing it.

The Thai government monitors your traffic and manipulates it when you try to visit a blocked website.....

[livinthailandos]

lets see whats been covered

manipulating traffic ( more like manipulating packets )

use SSL, you do know its already been broken to. Some researchers found out how to spoof the ssl and fool you into thinking your running on a encryption, just requires high knowledge, if the site containing a CA certificate is there along with a MD5 it can be spoofed, unless they moved to a SHA-1 Algorithm

manipulation packets ( redirection of information, most likely you would use TOT DNS servers, a check with doxpara will check the dns server for if its good to use or not. I suppose you could by using a vulnerable weak isp dns server, along with packet manipulation redirect people to a bad website, although, if you have disabled javascript, that would kill some of the process along with using a limited computer user account. along with close ports.

all i know is things are getting easier and easier to get done for you these days.

Between packet manipulation,

virus

trojans

rootkits

port scanning

any thing to get a computer user fooled is easy now in days

1. windows has the most market share, and most users already run the administator account

2. windows is highly pirated, and unless your updating security updates on windows, your basically leaving the door or window wide open

3. windows requires a anti virus, spyware, etc, windows has a giant target on it. So go where the money is

4. most users wouldn't even know if there computer was already taken over, because no signs are shown if the bad person is really good at it. You'd never know

5. most users have limited idea of how things really are for using internet use

anyway highjacking a adsl account, takes skill, but with everything online from brute cracking, spoofing SSL, breaking algorithms, messing around with the BGP, lauching a DDOS it can all be done. just takes knowledge

[Prasert]

livinthailandos:

I'm afraid you're missing my point here. The thread is not about howto-hijack-a-line, with all the wrong-doing that one could do after that.

The point I'm trying to make is that the entire infrastructure of TOT and their management are such an enormous mess at this moment. Not just this moment actually, but the last couple of years.

I just picked one of those shortcomings and showed how it could be abused. Point is that an ISP should provide a service that's solid and does not allow tampering by any customer.

TOT's infrastructure consists of equipment that is unable to handle the traffic load. Fact.

The worst thing about this fact is that the TOT management is probably unaware of this. And if they are, TOT is obviously unable to cope with it.

And that's something to consider for everyone who wants to get adsl and thinks that TOT is an option.

[Crushdepth]

If its possible to abuse ADSL like this then it is almost certainly happening. I wonder if it's just TOT that has a problem though.

[wontok]

If its possible to abuse ADSL like this then it is almost certainly happening. I wonder if it's just TOT that has a problem though.

Yes, that's my concern as a non-techie. I'm actually quite happy with my TOT 2mb ADSL, or I was until I read this thread - but how do I know that any other ISP does not have the same issues? I read complaints on Thaivisa about many ISPs, not just TOT, so might they also have similar problems/vulnerabilities?

Prasert has clearly done some important work here, and I am pleased this has been recognised by those who understand these things better than I.

Can anyone give us more information on ISP managemet? Prasert says:

"The shortcomings of the technology used by TOT is what aggrevates many customers, but the root cause of this is the management structure of TOT."

What is the management structure of TOT? How is it responsible for the mess? How do other ISP management structures differ - and if they differ should that give us confidence that their systems cannot be manipulated in the way you say TOT's system may be manipulated? Which ISPs in particular should we use or avoid?