Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOne New Zealand (including Vodafone, WxC, Farmside)Unable to reach ASB.co.nz or IRD Login page through Vodafone Business Fibre connection
LikesTV

6 posts

Wannabe Geek


#248531 29-Mar-2019 18:08
Send private message

we noticed a day ago that browsing attempts to any ASB website https://asb.co.nz time out 

 

Other banking sites show no problem.

 

we can also browse to the IRD website but when trying to reach the IRD login page the browser times out again

 

A sudo output shows the following, after which it times out:

 

There is an open ticket with VF, but has anyone seen this before or can suggest next steps for troubleshooting?

 

thanks

 

Create new topic
gaddman
224 posts

Master Geek

Trusted

  #2208291 31-Mar-2019 18:23
Send private message

Hi,

 

There was a post a while back where somebody got things working by disabling IPv6, although it was never clear why that helped. See https://www.geekzone.co.nz/forums.asp?forumid=40&topicid=245135&page_no=1#2164305

 

 

 

It could be some routing problem in our network, in which case I expect the ticket will get it sorted - but PM it to me and I can check. But if you want to do some more troubleshooting you could try..

 

 

 

1. Run a tcpdump to capture other interesting info. With the filter you've got you're only seeing the DNS query, try something like this:

 

 

sudo tcpdump -ni enp1s0 "icmp or port 53 or https"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:03:59.547659 IP 10.2.1.234.46335 > 10.2.1.1.53: 49458+ [1au] A? asb.co.nz. (38)
18:03:59.547951 IP 10.2.1.234.40863 > 10.2.1.1.53: 17473+ [1au] AAAA? asb.co.nz. (38)
18:03:59.548810 IP 10.2.1.1.53 > 10.2.1.234.46335: 49458 1/0/1 A 210.55.180.37 (54)
18:03:59.549465 IP 10.2.1.1.53 > 10.2.1.234.40863: 17473 0/0/1 (38)
18:03:59.550288 IP 10.2.1.234.39412 > 210.55.180.37.443: Flags [S], seq 856250897, win 29200, options [mss 1460,sackOK,TS val 2268740631 ecr 0,nop,wscale 10], length 0
18:03:59.567905 IP 210.55.180.37.443 > 10.2.1.234.39412: Flags [S.], seq 1202650793, ack 856250898, win 4308, options [mss 1436,nop,nop,TS val 3525445699 ecr 2268740631,sackOK,eol], length 0
18:03:59.567960 IP 10.2.1.234.39412 > 210.55.180.37.443: Flags [.], ack 1, win 29200, options [nop,nop,TS val 2268740648 ecr 3525445699], length 0
18:03:59.596239 IP 10.2.1.234.39412 > 210.55.180.37.443: Flags [P.], seq 1:210, ack 1, win 29200, options [nop,nop,TS val 2268740677 ecr 3525445699], length 209
18:03:59.613217 IP 210.55.180.37.443 > 10.2.1.234.39412: Flags [.], ack 210, win 4517, options [nop,nop,TS val 3525445745 ecr 2268740677], length 0
18:03:59.615566 IP 210.55.180.37.443 > 10.2.1.234.39412: Flags [P.], seq 1:4963, ack 210, win 4517, options [nop,nop,TS val 3525445747 ecr 2268740677], length 4962

 

<snip>

 

 

If you've got a bunch of other traffic going on then narrow it down a bit further: "icmp or port 53 or host 210.55.180.37 or host 140.168.252.24"

 

2. Check the path to asb.co.nz and www.asb.co.nz:

 

 

mtr -rwbc5 asb.co.nz
Start: 2019-03-31T18:15:35+1300
HOST: mypc Loss% Snt Last Avg Best Wrst StDev
1.|-- ultraplus.hub (10.2.1.1) 0.0% 5 0.7 0.8 0.7 0.8 0.1
2.|-- 47-72-59-254.dsl.dyn.ihug.co.nz (47.72.59.254) 0.0% 5 1.5 2.3 1.3 5.9 2.0
3.|-- 203.167.224.158 0.0% 5 8.4 8.3 8.2 8.4 0.1
4.|-- 203.167.224.157 0.0% 5 7.0 8.5 6.9 14.3 3.2
5.|-- ge-2-0-0-906.ie2.telstraclear.net (203.98.18.65) 0.0% 5 16.0 16.0 15.9 16.0 0.0
6.|-- g1-0-0-906.u12.telstraclear.net (203.98.18.66) 0.0% 5 16.2 16.2 16.2 16.3 0.0
7.|-- 202-37-243-65.gis.global-gateway.net.nz (202.37.243.65) 0.0% 5 17.8 17.7 17.7 17.8 0.1
8.|-- ??? 100.0 5 0.0 0.0 0.0 0.0 0.0

 

mtr -rwbc5 www.asb.co.nz
Start: 2019-03-31T18:16:01+1300
HOST: mypc Loss% Snt Last Avg Best Wrst StDev
1.|-- ultraplus.hub (10.2.1.1) 0.0% 5 0.7 0.8 0.7 0.9 0.1
2.|-- 47-72-59-254.dsl.dyn.ihug.co.nz (47.72.59.254) 0.0% 5 43.2 10.0 1.4 43.2 18.6
3.|-- 10.200.12.29 0.0% 5 7.0 7.2 7.0 7.3 0.1
4.|-- as9500.nsw.ix.asn.au (218.100.52.103) 0.0% 5 40.5 40.4 40.2 40.5 0.1
5.|-- as32787.nsw.ix.asn.au (218.100.52.155) 0.0% 5 41.5 41.6 41.4 41.9 0.2
6.|-- ae101.access-a.sech-syd2.netarch.akamai.com (72.52.2.17) 0.0% 5 41.6 41.7 41.6 41.7 0.1
7.|-- a69-192-6-136.deploy.static.akamaitechnologies.com (69.192.6.136) 0.0% 5 41.1 41.2 41.1 41.3 0.0
8.|-- ??? 100.0 5 0.0 0.0 0.0 0.0 0.0

 

 

3. Check you haven't got a particularly low MTU somewhere:

 

 

ping -c2 -s1472 -Mdo 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 1472(1500) bytes of data.
1480 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=16.3 ms
1480 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=16.1 ms

 

 

4. Try curl:

 

 

$ curl -v https://asb.co.nz/
* Trying 210.55.180.37...
* TCP_NODELAY set
* Connected to asb.co.nz (210.55.180.37) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=NZ; L=Auckland; jurisdictionC=NZ; O=ASB Bank Limited; businessCategory=Private Organization; serialNumber=398445; CN=www.asb.co.nz
* start date: Jul 18 01:36:30 2017 GMT
* expire date: Jul 18 02:06:28 2019 GMT
* subjectAltName: host "asb.co.nz" matched cert's "asb.co.nz"
* issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2014 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1M
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: asb.co.nz
> User-Agent: curl/7.58.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 301 Moved Permanently
< Location: https://www.asb.co.nz/
< Server: BigIP
* HTTP/1.0 connection set to keep alive!
< Connection: Keep-Alive
< Content-Length: 0
<
* Connection #0 to host asb.co.nz left intact

 



Aredwood
3885 posts

Uber Geek


  #2208366 1-Apr-2019 02:08

From following some other links on that above thread. ASB use https://www.brightcloud.com/tools/url-ip-lookup.php

And they block IPs with a low reputation. I tested both my Ipv6 and ipv4 addresses, and that website listed a much lower reputation for my Ipv6 address. Which would explain why disabling Ipv6 fixed the problem in the other thread.

It was also mentioned that they block known TOR exit nodes as well.

Paging @asb also.

Although the ASB website and app work just fine for me from Ipv6.





LikesTV

6 posts

Wannabe Geek


  #2209289 2-Apr-2019 10:26
Send private message

@Aredwood: That's a really helpful suggestion: the Brightcloud database identified the source site as High risk, and the ASB have confirmed to us that they use the results from this database.

 

We are investigating further as to whether this is a device on the network or someone spoofing the Public IP address.

 

 



raytaylor
4014 posts

Uber Geek

Trusted

  #2211431 5-Apr-2019 17:05
Send private message

I have found it to be customers with viruses sending out spam or other known worms. 

 

Check out https://mxtoolbox.com/blacklists.aspx 

 

Put in your ip address to see if you are on any lists. There are a couple of honeypots which it checks and you just need to block the outgoing traffic and log it to see where in your network its coming from 




Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

yitz
2074 posts

Uber Geek


  #2211434 5-Apr-2019 17:18
Send private message

Aredwood: I tested both my Ipv6 and ipv4 addresses, and that website listed a much lower reputation for my Ipv6 address.

 

 

For IPv6 did you enter a prefix or a single address?

 

 

Seems if I enter any range it returns with "Suspicious (40 of 100)." Not sure how the system works.

LikesTV

6 posts

Wannabe Geek


  #2229188 2-May-2019 09:29
Send private message

Since the Original post, I have installed an old firewall in the data path (in Virtual Wire mode)  in order to monitor traffic coming out of the network.

 

I now have heaps of logs of traffic identifying Ip destination address, country, port, application (where available) but I struggle to identify what may be mischevious activity - or if there even is any.  The Brightcloud no longer identifies the site as being blocked, so it is possible that anything that was going on before has now stopped.

 

Can anyone suggest a good tool that I can use to review the logs and see if there are suspicious patterns of activity?

 

 

 

 

 

 

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright