Jump to content

Recommended Posts

Posted

Do not enter any confidential information into your browsers, use internet with caution.

 

Major problems have been reported today with 3BB network and some with ToT, maybe more ISP are affected.

 

Reported problems:

Google services do not work

Youtube does not work

A number of US sites do not work properly

 

Some preliminary network analysis shows that traffic is being routed to OTHER SERVERS than those requested by the users, including HTTPS traffic, which means these sites are NOT SAFE despite no alarms being raised in browsers, which means the SSL certificates have possibly been spoofed, which in turn means whoever manipulates the servers has access to all your confidential information.

 

Also, DNS requests are not being answered correctly, INCLUDING requests to ALTERNATIVE DNS SERVERS you may have set on your router, for example google's. DNS requests seem to be intercepted and answered with wrong data.

 

The above has me very worried, as it bears all signs of a huge man in the middle attack - I advise everyone to not enter any confidential information into the browser, ESPECIALLY passwords.

  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Posted
3 minutes ago, Halfaboy said:

Which VPN would you recommend ?

No idea, I have my own private VPN which runs on a friends server in the US, it uses the OpenVPN software.

 

 

Posted
39 minutes ago, manarak said:

I advise everyone to not enter any confidential information into the browser, ESPECIALLY passwords.

then how do you access sites where a password is mandatory, e.g. bank? password by carrier pigeon?

Posted
12 minutes ago, Naam said:

then how do you access sites where a password is mandatory, e.g. bank? password by carrier pigeon?

use a VPN or wait until the problem is solved

Posted
Stop using Internet. Let's go back to 19th century. :)

Sent from my SM-G935F using Tapatalk



Horse back riders,marathon men and carrier pigeons ?
Posted

I have just started to get problems, I think mostly google but other websites seem affected. I am with AIS fibre. Problems started approx 8pm. Before that all was normal.

Posted (edited)

I have 3BB fiber in BKK.

 

Just now before 9 pm, tried a direct connection to both YouTube and Gmail and got nothing with 3BB.

 

Switched to a VPN connection on top of 3BB, and Youtube and Gmail loaded quickly and fine, no apparent problems.

 

 

Edited by TallGuyJohninBKK
Posted

You don't need to see problems.

On my ToT fiber all looks fine.

Just under the hood you can see that google.com now has an IP address in Bangkok that belongs to ToT.

Maybe it's just 3BB that muddled the change?

I don't to be the one to raise an alarm for the whole country, but really be careful.

 

Posted
You don't need to see problems.
On my ToT fiber all looks fine.
Just under the hood you can see that google.com now has an IP address in Bangkok that belongs to ToT.
Maybe it's just 3BB that muddled the change?
I don't to be the one to raise an alarm for the whole country, but really be careful.
 

Care to share your trace showing this? Google has a very proactive security team who would want to look into this I'm sure. Fwiw my traces to Google.com resolve to a Google owned IP via ais.
Posted
20 minutes ago, RedCardinal said:


Care to share your trace showing this? Google has a very proactive security team who would want to look into this I'm sure. Fwiw my traces to Google.com resolve to a Google owned IP via ais.

C:\Users\admin>tracert google.com

Tracing route to google.com [203.113.51.90]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  ADSL [192.168.1.1]
  2     *        *        *     Request timed out.
  3     3 ms     2 ms     2 ms  192.168.7.5
  4    11 ms     9 ms     9 ms  203.113.44.237
  5     8 ms     8 ms     8 ms  203.113.44.201
  6     8 ms     8 ms     8 ms  203.113.51.90

 

This is seen (changed) since about 10 AM (?) this morning.

Before it was an address at about 47 ms away (Hong Kong?).

 

Posted

Interesting, I wonder if google analytics was also timing out when loading the javascript - I've seen an outage like this where any website which includes an external script from a server which isn't responding just sits there and does nothing when you load it in the browser.

 

I noticed some very slow websites today which appeared to be timing out when on the WiFi without VPN on 3BB.

Posted
1 hour ago, RedCardinal said:


Care to share your trace showing this? Google has a very proactive security team who would want to look into this I'm sure. Fwiw my traces to Google.com resolve to a Google owned IP via ais.

 

Yes I hope google's security team will look into this.

 

I can only warn everyone against re-typing PASSWORDS.

There is/was something strange going on about DNS, SSL certificates and traffic being routed to different servers than intended.

I am still wondering how the hell alphabet's website was served from a 3BB server using alphabet's SSL certificate.

In any case, I am no routing, SSL  and OSI guru, and even if this is no man in the middle attack and a broken server is the truth, it still smells fishy enough to me to be very very careful.

 

Remember that attackers with control over the ISP can control every aspect of your connections, even spoofing IP addresses, so the servers you believe to be google's maybe aren't google's at all.

The only protection is a VPN, although I believe even that can be broken, but not on a large scale and I believe the necessary resources are only available to G7 government agencies.

Posted
2 hours ago, KhunBENQ said:

I don't to be the one to raise an alarm for the whole country, but really be careful.

better safe than sorry.

Posted

So google.com via 3BB :

 

C:\Users\user>tracert google.com

Tracing route to google.com [110.164.10.89]
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  192.168.1.1
  2    22 ms    21 ms    25 ms  10.121.76.253
  3    21 ms    20 ms    20 ms  10.121.76.254
  4    24 ms    23 ms    29 ms  mx-ll-110.164.0-108.static.3bb.co.th [110.164.0.108]
  5    25 ms    23 ms    23 ms  192.168.254.25
  6    46 ms    38 ms    43 ms  192.168.255.52
  7    23 ms    26 ms    22 ms  mx-ll-110.164.10-89.static.3bb.co.th [110.164.10.89]

Trace complete.

 

The IP addresses highlighted in red are not regular public IP addresses, they're private to 3BB.

 

Who owns 110.164.10.89, see here to look up who owns an IP address : https://www.maxmind.com/en/geoip-demo

 

Result :

 

110.164.10.89 TH Thailand,
Asia
  13.75,
100.4667
500 3BB Broadband 3BB Broadband 3bb.co.th  

 

The thing is - I remember checking this a long time ago, like a year back and it was also a 3BB IP address, I suspect Google rent a load of rackspace from 3BB in Thailand. They appear to have a presence at 3BB which is what you would expect for a large nationwide ISP.

 

Normally the IP addresses would be in the customers name but as this is Thailand

 

Posted (edited)
5 minutes ago, ukrules said:

So google.com via 3BB :

 

C:\Users\user>tracert google.com

Tracing route to google.com [110.164.10.89]
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  192.168.1.1
  2    22 ms    21 ms    25 ms  10.121.76.253
  3    21 ms    20 ms    20 ms  10.121.76.254
  4    24 ms    23 ms    29 ms  mx-ll-110.164.0-108.static.3bb.co.th [110.164.0.108]
  5    25 ms    23 ms    23 ms  192.168.254.25
  6    46 ms    38 ms    43 ms  192.168.255.52
  7    23 ms    26 ms    22 ms  mx-ll-110.164.10-89.static.3bb.co.th [110.164.10.89]

Trace complete.

 

The IP addresses highlighted in red are not regular public IP addresses, they're private to 3BB.

 

Who owns 110.164.10.89, see here to look up who owns an IP address : https://www.maxmind.com/en/geoip-demo

 

Result :

 

110.164.10.89 TH Thailand,
Asia
  13.75,
100.4667
500 3BB Broadband 3BB Broadband 3bb.co.th  

 

The thing is - I remember checking this a long time ago, like a year back and it was also a 3BB IP address, I suspect Google rent a load of rackspace from 3BB in Thailand. They appear to have a presence at 3BB which is what you would expect for a large nationwide ISP.

 

Normally the IP addresses would be in the customers name but as this is Thailand

 

I did the same with abc.xyz (alphabet's homepage) and during the outage it routed to a 3BB IP and was served from Thailand, and now that things work, the IP address is a mountain view one...
*oops* no, I stand corrected, it is now served from Thailand as well...

 

Edited by manarak
Posted
5 hours ago, janclaes47 said:

Let the scaremongering games begin

Well, what he says is true.

3BB does have man in the middle server for ports 80 and 443. I confirmed it via TCP Traceroute.

True probably has it too.

 

In order to crackdown people who talk bad about Royal Family and the King, they have to monitor everything and catch people in violation of lese majeste law.

a Singapore always-on vpn (on your private vps server, 5$ usd / month) is necessary.

Posted
12 minutes ago, ukrules said:

So google.com via 3BB :

 

C:\Users\user>tracert google.com

Tracing route to google.com [110.164.10.89]
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  192.168.1.1
  2    22 ms    21 ms    25 ms  10.121.76.253
  3    21 ms    20 ms    20 ms  10.121.76.254
  4    24 ms    23 ms    29 ms  mx-ll-110.164.0-108.static.3bb.co.th [110.164.0.108]
  5    25 ms    23 ms    23 ms  192.168.254.25
  6    46 ms    38 ms    43 ms  192.168.255.52
  7    23 ms    26 ms    22 ms  mx-ll-110.164.10-89.static.3bb.co.th [110.164.10.89]

Trace complete.

 

The IP addresses highlighted in red are not regular public IP addresses, they're private to 3BB.

 

Who owns 110.164.10.89, see here to look up who owns an IP address : https://www.maxmind.com/en/geoip-demo

 

Result :

 

110.164.10.89 TH Thailand,
Asia
  13.75,
100.4667
500 3BB Broadband 3BB Broadband 3bb.co.th  

 

The thing is - I remember checking this a long time ago, like a year back and it was also a 3BB IP address, I suspect Google rent a load of rackspace from 3BB in Thailand. They appear to have a presence at 3BB which is what you would expect for a large nationwide ISP.

 

Normally the IP addresses would be in the customers name but as this is Thailand

 

They can use hidden servers. Traceroute uses UDP.

There are tcp traceroute programs, that shows different routing to destination if port is 80 or 443.

3BB's man in the middle attack server is very professional. It gives ping in last hope exactly same (not bogus) ping.

like

us.server.com ....

1.

2.

3.

4. .... 200 ms!

Although server is in Thailand, they can manipulate everything.

Posted
6 minutes ago, muratremix said:

Well, what he says is true.

3BB does have man in the middle server for ports 80 and 443. I confirmed it via TCP Traceroute.

True probably has it too.

 

In order to crackdown people who talk bad about Royal Family and the King, they have to monitor everything and catch people in violation of lese majeste law.

a Singapore always-on vpn (on your private vps server, 5$ usd / month) is necessary.

 

I think you're right in that it's time to enable permanent VPN now.

 

My router/modem doesn't allow VPN settings, but I'm gonna enable my vpn to start up with Windows from now on.

Posted

It's changed again for me on 3BB :

 

C:\Users\user>tracert google.com

Tracing route to google.com [43.245.144.114]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  192.168.1.1
  2    23 ms    22 ms    21 ms  10.121.76.245
  3    20 ms    20 ms    20 ms  10.121.76.254
  4    24 ms    24 ms    24 ms  mx-ll-110.164.0-108.static.3bb.co.th [110.164.0.108]
  5    23 ms    23 ms    23 ms  192.168.254.29
  6    39 ms    43 ms    43 ms  192.168.255.28
  7    22 ms    22 ms    21 ms  43.245.144.114

Trace complete.

 

43.245.144.114 TH Thailand,
Asia
  13.75,
100.4667
500 Triple T Internet Company Limited Triple T Internet Company Limited

 

Going to this Triple T intetnet company now, was 3BB IP as in previous post before.

 

Posted

No problems with AIS fibre, everything been running smooth today.

Posted
7 hours ago, muratremix said:

Well, what he says is true.

3BB does have man in the middle server for ports 80 and 443. I confirmed it via TCP Traceroute.

True probably has it too.

 

In order to crackdown people who talk bad about Royal Family and the King, they have to monitor everything and catch people in violation of lese majeste law.

a Singapore always-on vpn (on your private vps server, 5$ usd / month) is necessary.

 

 

Yes, it does appear that as a result of the "government" via the NBTC pressuring all ISPs to be the "internet police" - they will be held responsible for not identifying, blocking and logging users who view objectionable content via hefty fines (millions of baht) and loss of licenses - that all eleven (11) ISPs have initiated new filtering procedures.

 

Quite a few people have been rounded up over the past few days - one facing 150 years prison sentence - for sharing recent material, and a few have been disappeared into the military "system".

 

People should be extremely cautious. Even using VPNs may be interpreted to be a violation of the recently amended (Gazetted in January, 2017 I think?) Computer Crimes Act.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.




×
×
  • Create New...