Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




6 posts

Wannabe Geek


# 248531 29-Mar-2019 18:08
Send private message quote this post

we noticed a day ago that browsing attempts to any ASB website https://asb.co.nz time out 

 

Other banking sites show no problem.

 

we can also browse to the IRD website but when trying to reach the IRD login page the browser times out again

 

A sudo output shows the following, after which it times out:

 

There is an open ticket with VF, but has anyone seen this before or can suggest next steps for troubleshooting?

 

thanks

 


Create new topic
166 posts

Master Geek
+1 received by user: 71

Trusted
Vodafone NZ

  # 2208291 31-Mar-2019 18:23
Send private message quote this post

Hi,

 

There was a post a while back where somebody got things working by disabling IPv6, although it was never clear why that helped. See https://www.geekzone.co.nz/forums.asp?forumid=40&topicid=245135&page_no=1#2164305

 

 

 

It could be some routing problem in our network, in which case I expect the ticket will get it sorted - but PM it to me and I can check. But if you want to do some more troubleshooting you could try..

 

 

 

1. Run a tcpdump to capture other interesting info. With the filter you've got you're only seeing the DNS query, try something like this:

 

 

sudo tcpdump -ni enp1s0 "icmp or port 53 or https"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:03:59.547659 IP 10.2.1.234.46335 > 10.2.1.1.53: 49458+ [1au] A? asb.co.nz. (38)
18:03:59.547951 IP 10.2.1.234.40863 > 10.2.1.1.53: 17473+ [1au] AAAA? asb.co.nz. (38)
18:03:59.548810 IP 10.2.1.1.53 > 10.2.1.234.46335: 49458 1/0/1 A 210.55.180.37 (54)
18:03:59.549465 IP 10.2.1.1.53 > 10.2.1.234.40863: 17473 0/0/1 (38)
18:03:59.550288 IP 10.2.1.234.39412 > 210.55.180.37.443: Flags [S], seq 856250897, win 29200, options [mss 1460,sackOK,TS val 2268740631 ecr 0,nop,wscale 10], length 0
18:03:59.567905 IP 210.55.180.37.443 > 10.2.1.234.39412: Flags [S.], seq 1202650793, ack 856250898, win 4308, options [mss 1436,nop,nop,TS val 3525445699 ecr 2268740631,sackOK,eol], length 0
18:03:59.567960 IP 10.2.1.234.39412 > 210.55.180.37.443: Flags [.], ack 1, win 29200, options [nop,nop,TS val 2268740648 ecr 3525445699], length 0
18:03:59.596239 IP 10.2.1.234.39412 > 210.55.180.37.443: Flags [P.], seq 1:210, ack 1, win 29200, options [nop,nop,TS val 2268740677 ecr 3525445699], length 209
18:03:59.613217 IP 210.55.180.37.443 > 10.2.1.234.39412: Flags [.], ack 210, win 4517, options [nop,nop,TS val 3525445745 ecr 2268740677], length 0
18:03:59.615566 IP 210.55.180.37.443 > 10.2.1.234.39412: Flags [P.], seq 1:4963, ack 210, win 4517, options [nop,nop,TS val 3525445747 ecr 2268740677], length 4962

 

<snip>

 

 

If you've got a bunch of other traffic going on then narrow it down a bit further: "icmp or port 53 or host 210.55.180.37 or host 140.168.252.24"

 

2. Check the path to asb.co.nz and www.asb.co.nz:

 

 

mtr -rwbc5 asb.co.nz
Start: 2019-03-31T18:15:35+1300
HOST: mypc Loss% Snt Last Avg Best Wrst StDev
1.|-- ultraplus.hub (10.2.1.1) 0.0% 5 0.7 0.8 0.7 0.8 0.1
2.|-- 47-72-59-254.dsl.dyn.ihug.co.nz (47.72.59.254) 0.0% 5 1.5 2.3 1.3 5.9 2.0
3.|-- 203.167.224.158 0.0% 5 8.4 8.3 8.2 8.4 0.1
4.|-- 203.167.224.157 0.0% 5 7.0 8.5 6.9 14.3 3.2
5.|-- ge-2-0-0-906.ie2.telstraclear.net (203.98.18.65) 0.0% 5 16.0 16.0 15.9 16.0 0.0
6.|-- g1-0-0-906.u12.telstraclear.net (203.98.18.66) 0.0% 5 16.2 16.2 16.2 16.3 0.0
7.|-- 202-37-243-65.gis.global-gateway.net.nz (202.37.243.65) 0.0% 5 17.8 17.7 17.7 17.8 0.1
8.|-- ??? 100.0 5 0.0 0.0 0.0 0.0 0.0

 

mtr -rwbc5 www.asb.co.nz
Start: 2019-03-31T18:16:01+1300
HOST: mypc Loss% Snt Last Avg Best Wrst StDev
1.|-- ultraplus.hub (10.2.1.1) 0.0% 5 0.7 0.8 0.7 0.9 0.1
2.|-- 47-72-59-254.dsl.dyn.ihug.co.nz (47.72.59.254) 0.0% 5 43.2 10.0 1.4 43.2 18.6
3.|-- 10.200.12.29 0.0% 5 7.0 7.2 7.0 7.3 0.1
4.|-- as9500.nsw.ix.asn.au (218.100.52.103) 0.0% 5 40.5 40.4 40.2 40.5 0.1
5.|-- as32787.nsw.ix.asn.au (218.100.52.155) 0.0% 5 41.5 41.6 41.4 41.9 0.2
6.|-- ae101.access-a.sech-syd2.netarch.akamai.com (72.52.2.17) 0.0% 5 41.6 41.7 41.6 41.7 0.1
7.|-- a69-192-6-136.deploy.static.akamaitechnologies.com (69.192.6.136) 0.0% 5 41.1 41.2 41.1 41.3 0.0
8.|-- ??? 100.0 5 0.0 0.0 0.0 0.0 0.0

 

 

3. Check you haven't got a particularly low MTU somewhere:

 

 

ping -c2 -s1472 -Mdo 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 1472(1500) bytes of data.
1480 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=16.3 ms
1480 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=16.1 ms

 

 

4. Try curl:

 

 

$ curl -v https://asb.co.nz/
* Trying 210.55.180.37...
* TCP_NODELAY set
* Connected to asb.co.nz (210.55.180.37) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=NZ; L=Auckland; jurisdictionC=NZ; O=ASB Bank Limited; businessCategory=Private Organization; serialNumber=398445; CN=www.asb.co.nz
* start date: Jul 18 01:36:30 2017 GMT
* expire date: Jul 18 02:06:28 2019 GMT
* subjectAltName: host "asb.co.nz" matched cert's "asb.co.nz"
* issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2014 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1M
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: asb.co.nz
> User-Agent: curl/7.58.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 301 Moved Permanently
< Location: https://www.asb.co.nz/
< Server: BigIP
* HTTP/1.0 connection set to keep alive!
< Connection: Keep-Alive
< Content-Length: 0
<
* Connection #0 to host asb.co.nz left intact

 


3798 posts

Uber Geek
+1 received by user: 1700

Subscriber

  # 2208366 1-Apr-2019 02:08
One person supports this post
Send private message quote this post

From following some other links on that above thread. ASB use https://www.brightcloud.com/tools/url-ip-lookup.php

And they block IPs with a low reputation. I tested both my Ipv6 and ipv4 addresses, and that website listed a much lower reputation for my Ipv6 address. Which would explain why disabling Ipv6 fixed the problem in the other thread.

It was also mentioned that they block known TOR exit nodes as well.

Paging @asb also.

Although the ASB website and app work just fine for me from Ipv6.





 
 
 
 




6 posts

Wannabe Geek


  # 2209289 2-Apr-2019 10:26
Send private message quote this post

@Aredwood: That's a really helpful suggestion: the Brightcloud database identified the source site as High risk, and the ASB have confirmed to us that they use the results from this database.

 

We are investigating further as to whether this is a device on the network or someone spoofing the Public IP address.

 

 


3348 posts

Uber Geek
+1 received by user: 710

Trusted

  # 2211431 5-Apr-2019 17:05
Send private message quote this post

I have found it to be customers with viruses sending out spam or other known worms. 

 

Check out https://mxtoolbox.com/blacklists.aspx 

 

Put in your ip address to see if you are on any lists. There are a couple of honeypots which it checks and you just need to block the outgoing traffic and log it to see where in your network its coming from 





Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




1369 posts

Uber Geek
+1 received by user: 324


  # 2211434 5-Apr-2019 17:18
Send private message quote this post

Aredwood: I tested both my Ipv6 and ipv4 addresses, and that website listed a much lower reputation for my Ipv6 address.

 

 

For IPv6 did you enter a prefix or a single address?

 

 

Seems if I enter any range it returns with "Suspicious (40 of 100)." Not sure how the system works.



6 posts

Wannabe Geek


  # 2229188 2-May-2019 09:29
Send private message quote this post

Since the Original post, I have installed an old firewall in the data path (in Virtual Wire mode)  in order to monitor traffic coming out of the network.

 

I now have heaps of logs of traffic identifying Ip destination address, country, port, application (where available) but I struggle to identify what may be mischevious activity - or if there even is any.  The Brightcloud no longer identifies the site as being blocked, so it is possible that anything that was going on before has now stopped.

 

Can anyone suggest a good tool that I can use to review the logs and see if there are suspicious patterns of activity?

 

 

 

 

 

 


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Anyone can broadcast with Kordia Pop Up TV
Posted 13-Jun-2019 10:51


Volvo and Uber present production vehicle ready for self-driving
Posted 13-Jun-2019 10:47


100,000 customers connected to fibre broadband network through Enable
Posted 13-Jun-2019 10:35


5G uptake even faster than expected
Posted 12-Jun-2019 10:01


Xbox showcases 60 anticipated games
Posted 10-Jun-2019 20:24


Trend Micro Turns Public Hotspots into Secure Networks with WiFi Protection for Mobile Devices
Posted 5-Jun-2019 13:24


Bold UK spinoff for beauty software company Flossie
Posted 2-Jun-2019 14:10


Amazon Introduces Echo Show 5
Posted 1-Jun-2019 15:32


Epson launches new 4K Pro-UHD projector technology
Posted 1-Jun-2019 15:26


Lenovo and Qualcomm unveil first 5G PC called Project Limitless
Posted 28-May-2019 20:23


Intel introduces new 10th Gen Intel Core Processors and Project Athena
Posted 28-May-2019 19:28


Orcon first to trial residential 10Gbps broadband
Posted 28-May-2019 11:20


Video game market in New Zealand passes half billion dollar mark
Posted 24-May-2019 16:15


WLG-X festival to celebrate creativity and innovation
Posted 22-May-2019 17:53


HPE to acquire supercomputing leader Cray
Posted 20-May-2019 11:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.