Warning To All Internet Users In Thailand

[manarak]

Do not enter any confidential information into your browsers, use internet with caution.

 

Major problems have been reported today with 3BB network and some with ToT, maybe more ISP are affected.

 

Reported problems:

Google services do not work

Youtube does not work

A number of US sites do not work properly

 

Some preliminary network analysis shows that traffic is being routed to OTHER SERVERS than those requested by the users, including HTTPS traffic, which means these sites are NOT SAFE despite no alarms being raised in browsers, which means the SSL certificates have possibly been spoofed, which in turn means whoever manipulates the servers has access to all your confidential information.

 

Also, DNS requests are not being answered correctly, INCLUDING requests to ALTERNATIVE DNS SERVERS you may have set on your router, for example google's. DNS requests seem to be intercepted and answered with wrong data.

 

The above has me very worried, as it bears all signs of a huge man in the middle attack - I advise everyone to not enter any confidential information into the browser, ESPECIALLY passwords.

[ukrules]

Meh, VPN cures all.

[Halfaboy]

Which VPN would you recommend ?

[ukrules]

3 minutes ago, Halfaboy said:

Which VPN would you recommend ?

No idea, I have my own private VPN which runs on a friends server in the US, it uses the OpenVPN software.

 

 

[Naam]

39 minutes ago, manarak said:

I advise everyone to not enter any confidential information into the browser, ESPECIALLY passwords.

then how do you access sites where a password is mandatory, e.g. bank? password by carrier pigeon?

[manarak]

12 minutes ago, Naam said:

then how do you access sites where a password is mandatory, e.g. bank? password by carrier pigeon?

use a VPN or wait until the problem is solved

[shady86]

Stop using Internet. Let's go back to 19th century. :)

Sent from my SM-G935F using Tapatalk

[janclaes47]

Let the scaremongering games begin

[johng]

Stop using Internet. Let's go back to 19th century. :)

Sent from my SM-G935F using Tapatalk

Horse back riders,marathon men and carrier pigeons ?

[cmsally]

I have just started to get problems, I think mostly google but other websites seem affected. I am with AIS fibre. Problems started approx 8pm. Before that all was normal.

[CharlieH]

No issues no problems at all at any time today. 

[TallGuyJohninBKK]

I have 3BB fiber in BKK.

 

Just now before 9 pm, tried a direct connection to both YouTube and Gmail and got nothing with 3BB.

 

Switched to a VPN connection on top of 3BB, and Youtube and Gmail loaded quickly and fine, no apparent problems.

 

 

Edited May 6, 2017 by TallGuyJohninBKK

[KhunBENQ]

You don't need to see problems.

On my ToT fiber all looks fine.

Just under the hood you can see that google.com now has an IP address in Bangkok that belongs to ToT.

Maybe it's just 3BB that muddled the change?

I don't to be the one to raise an alarm for the whole country, but really be careful.

 

[Somtamnication]

If 3bb and AIS have issues, then the man in the middle is more like the govt in the middle. All services work fine with a vpn.

[RedCardinal]

You don't need to see problems.
On my ToT fiber all looks fine.
Just under the hood you can see that google.com now has an IP address in Bangkok that belongs to ToT.
Maybe it's just 3BB that muddled the change?
I don't to be the one to raise an alarm for the whole country, but really be careful.
 

Care to share your trace showing this? Google has a very proactive security team who would want to look into this I'm sure. Fwiw my traces to Google.com resolve to a Google owned IP via ais.

[faraday]

RichCor seems to be one of experts with computers & etc.

Perhaps he can shed some light on this?

[jak2002003]

Yes.  No You Tube or G Mail now.

 

 

[KhunBENQ]

20 minutes ago, RedCardinal said:

Care to share your trace showing this? Google has a very proactive security team who would want to look into this I'm sure. Fwiw my traces to Google.com resolve to a Google owned IP via ais.

C:\Users\admin>tracert google.com

Tracing route to google.com [203.113.51.90]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  ADSL [192.168.1.1]
  2     *        *        *     Request timed out.
  3     3 ms     2 ms     2 ms  192.168.7.5
  4    11 ms     9 ms     9 ms  203.113.44.237
  5     8 ms     8 ms     8 ms  203.113.44.201
  6     8 ms     8 ms     8 ms  203.113.51.90

 

This is seen (changed) since about 10 AM (?) this morning.

Before it was an address at about 47 ms away (Hong Kong?).

 

[janclaes47]

In Pattaya on 3BB Gmail seems to be fixed since a few minutes.

 

At the same time I received an SMS with a Google verification code.

[ukrules]

Interesting, I wonder if google analytics was also timing out when loading the javascript - I've seen an outage like this where any website which includes an external script from a server which isn't responding just sits there and does nothing when you load it in the browser.

 

I noticed some very slow websites today which appeared to be timing out when on the WiFi without VPN on 3BB.

[manarak]

1 hour ago, RedCardinal said:

Care to share your trace showing this? Google has a very proactive security team who would want to look into this I'm sure. Fwiw my traces to Google.com resolve to a Google owned IP via ais.

 

Yes I hope google's security team will look into this.

 

I can only warn everyone against re-typing PASSWORDS.

There is/was something strange going on about DNS, SSL certificates and traffic being routed to different servers than intended.

I am still wondering how the hell alphabet's website was served from a 3BB server using alphabet's SSL certificate.

In any case, I am no routing, SSL  and OSI guru, and even if this is no man in the middle attack and a broken server is the truth, it still smells fishy enough to me to be very very careful.

 

Remember that attackers with control over the ISP can control every aspect of your connections, even spoofing IP addresses, so the servers you believe to be google's maybe aren't google's at all.

The only protection is a VPN, although I believe even that can be broken, but not on a large scale and I believe the necessary resources are only available to G7 government agencies.

[manarak]

2 hours ago, KhunBENQ said:

I don't to be the one to raise an alarm for the whole country, but really be careful.

better safe than sorry.

[ukrules]

So google.com via 3BB :

 

C:\Users\user>tracert google.com

Tracing route to google.com [110.164.10.89]
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  192.168.1.1
  2    22 ms    21 ms    25 ms  10.121.76.253
  3    21 ms    20 ms    20 ms  10.121.76.254
  4    24 ms    23 ms    29 ms  mx-ll-110.164.0-108.static.3bb.co.th [110.164.0.108]
  5    25 ms    23 ms    23 ms  192.168.254.25
  6    46 ms    38 ms    43 ms  192.168.255.52
  7    23 ms    26 ms    22 ms  mx-ll-110.164.10-89.static.3bb.co.th [110.164.10.89]

Trace complete.

 

The IP addresses highlighted in red are not regular public IP addresses, they're private to 3BB.

 

Who owns 110.164.10.89, see here to look up who owns an IP address : https://www.maxmind.com/en/geoip-demo

 

Result :

 

110.164.10.89

TH

Thailand, Asia

13.75, 100.4667

500

3BB Broadband

3BB Broadband

3bb.co.th

 

The thing is - I remember checking this a long time ago, like a year back and it was also a 3BB IP address, I suspect Google rent a load of rackspace from 3BB in Thailand. They appear to have a presence at 3BB which is what you would expect for a large nationwide ISP.

 

Normally the IP addresses would be in the customers name but as this is Thailand

 

[manarak]

5 minutes ago, ukrules said:

So google.com via 3BB :

 

C:\Users\user>tracert google.com

Tracing route to google.com [110.164.10.89]
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  192.168.1.1
  2    22 ms    21 ms    25 ms  10.121.76.253
  3    21 ms    20 ms    20 ms  10.121.76.254
  4    24 ms    23 ms    29 ms  mx-ll-110.164.0-108.static.3bb.co.th [110.164.0.108]
  5    25 ms    23 ms    23 ms  192.168.254.25
  6    46 ms    38 ms    43 ms  192.168.255.52
  7    23 ms    26 ms    22 ms  mx-ll-110.164.10-89.static.3bb.co.th [110.164.10.89]

Trace complete.

 

The IP addresses highlighted in red are not regular public IP addresses, they're private to 3BB.

 

Who owns 110.164.10.89, see here to look up who owns an IP address : https://www.maxmind.com/en/geoip-demo

 

Result :

 

110.164.10.89

TH

Thailand, Asia

13.75, 100.4667

500

3BB Broadband

3BB Broadband

3bb.co.th

 

The thing is - I remember checking this a long time ago, like a year back and it was also a 3BB IP address, I suspect Google rent a load of rackspace from 3BB in Thailand. They appear to have a presence at 3BB which is what you would expect for a large nationwide ISP.

 

Normally the IP addresses would be in the customers name but as this is Thailand

 

I did the same with abc.xyz (alphabet's homepage) and during the outage it routed to a 3BB IP and was served from Thailand, and now that things work, the IP address is a mountain view one...
*oops* no, I stand corrected, it is now served from Thailand as well...

 

Edited May 6, 2017 by manarak

[muratremix]

5 hours ago, janclaes47 said:

Let the scaremongering games begin

Well, what he says is true.

3BB does have man in the middle server for ports 80 and 443. I confirmed it via TCP Traceroute.

True probably has it too.

 

In order to crackdown people who talk bad about Royal Family and the King, they have to monitor everything and catch people in violation of lese majeste law.

a Singapore always-on vpn (on your private vps server, 5$ usd / month) is necessary.

[muratremix]

12 minutes ago, ukrules said:

So google.com via 3BB :

 

C:\Users\user>tracert google.com

Tracing route to google.com [110.164.10.89]
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  192.168.1.1
  2    22 ms    21 ms    25 ms  10.121.76.253
  3    21 ms    20 ms    20 ms  10.121.76.254
  4    24 ms    23 ms    29 ms  mx-ll-110.164.0-108.static.3bb.co.th [110.164.0.108]
  5    25 ms    23 ms    23 ms  192.168.254.25
  6    46 ms    38 ms    43 ms  192.168.255.52
  7    23 ms    26 ms    22 ms  mx-ll-110.164.10-89.static.3bb.co.th [110.164.10.89]

Trace complete.

 

The IP addresses highlighted in red are not regular public IP addresses, they're private to 3BB.

 

Who owns 110.164.10.89, see here to look up who owns an IP address : https://www.maxmind.com/en/geoip-demo

 

Result :

 

110.164.10.89

TH

Thailand, Asia

13.75, 100.4667

500

3BB Broadband

3BB Broadband

3bb.co.th

 

The thing is - I remember checking this a long time ago, like a year back and it was also a 3BB IP address, I suspect Google rent a load of rackspace from 3BB in Thailand. They appear to have a presence at 3BB which is what you would expect for a large nationwide ISP.

 

Normally the IP addresses would be in the customers name but as this is Thailand

 

They can use hidden servers. Traceroute uses UDP.

There are tcp traceroute programs, that shows different routing to destination if port is 80 or 443.

3BB's man in the middle attack server is very professional. It gives ping in last hope exactly same (not bogus) ping.

like

us.server.com ....

1.

2.

3.

4. .... 200 ms!

Although server is in Thailand, they can manipulate everything.

[janclaes47]

6 minutes ago, muratremix said:

Well, what he says is true.

3BB does have man in the middle server for ports 80 and 443. I confirmed it via TCP Traceroute.

True probably has it too.

 

In order to crackdown people who talk bad about Royal Family and the King, they have to monitor everything and catch people in violation of lese majeste law.

a Singapore always-on vpn (on your private vps server, 5$ usd / month) is necessary.

 

I think you're right in that it's time to enable permanent VPN now.

 

My router/modem doesn't allow VPN settings, but I'm gonna enable my vpn to start up with Windows from now on.

[ukrules]

It's changed again for me on 3BB :

 

C:\Users\user>tracert google.com

Tracing route to google.com [43.245.144.114]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  192.168.1.1
  2    23 ms    22 ms    21 ms  10.121.76.245
  3    20 ms    20 ms    20 ms  10.121.76.254
  4    24 ms    24 ms    24 ms  mx-ll-110.164.0-108.static.3bb.co.th [110.164.0.108]
  5    23 ms    23 ms    23 ms  192.168.254.29
  6    39 ms    43 ms    43 ms  192.168.255.28
  7    22 ms    22 ms    21 ms  43.245.144.114

Trace complete.

 

43.245.144.114

TH

Thailand, Asia

13.75, 100.4667

500

Triple T Internet Company Limited

Triple T Internet Company Limited

 

Going to this Triple T intetnet company now, was 3BB IP as in previous post before.

 

[balo]

No problems with AIS fibre, everything been running smooth today.

[mtls2005]

7 hours ago, muratremix said:

Well, what he says is true.

3BB does have man in the middle server for ports 80 and 443. I confirmed it via TCP Traceroute.

True probably has it too.

 

In order to crackdown people who talk bad about Royal Family and the King, they have to monitor everything and catch people in violation of lese majeste law.

a Singapore always-on vpn (on your private vps server, 5$ usd / month) is necessary.

 

 

Yes, it does appear that as a result of the "government" via the NBTC pressuring all ISPs to be the "internet police" - they will be held responsible for not identifying, blocking and logging users who view objectionable content via hefty fines (millions of baht) and loss of licenses - that all eleven (11) ISPs have initiated new filtering procedures.

 

Quite a few people have been rounded up over the past few days - one facing 150 years prison sentence - for sharing recent material, and a few have been disappeared into the military "system".

 

People should be extremely cautious. Even using VPNs may be interpreted to be a violation of the recently amended (Gazetted in January, 2017 I think?) Computer Crimes Act.