Geolocating IPs is harder than you think
There are several resources available that assist in geolocating IP addresses. Commercial offerings like MaxMind (which also offers a free database) have a pretty good track record in locating a particular IP address. But still, there are several difficulties when it comes to IP address-based geolocation.
First, let's look at some of the options to geolocate a computer. There are two basic methods that can be used:
1 - Geolocation By IP Address
This is probably the simplest method as it does not require a "cooperating client" (more about that later). It may also be performed after the fact on log entries, which other methods do not allow. You will typically rely on geolocation databases. These databases can be reasonably accurate if the information ISP provide is accurate.
Common problem cases:
- Mobile phones: Mobile operators commonly use "Carrier Grade NAT (cgNAT)." The user's IP address may change very frequently, and the granularity of the information is limited by the design of the mobile operator's network. Many have multiple gateways that may correlate with certain geographic regions. Theoretically, the operator may use only one gateway globally.
- Sattelite connections: It should be obvious that for satellite connections, all bets are off as to the user's geographic location. For traditional satellite operators like ViaSat and Hughes, only a few satellites are used for all users globally, making geolocation impossible. For news large constellations, like Starlink, some regional information may be available. A particular satellite typically will cover a particular region of the globe and relay traffic to a base station close to the user. But this information is still not very granular. For Starlink, the hostname the IP resolves to includes the name of the "Point of Presence" (POP). For example, 98.97.178.235 is the IP address that was used for the hotel at our SANS event in Orlando this spring. It resolves to: customer.atlagax1.pop.starlinkisp.net, indicating that this connection may have used a POP in Atlanta, GA. Close, but still a different state. MaxMind also uses Atlanta, GA, as the location for this IP address.
- Datacenters/Cloud: Currently, data centers providing cloud services are experiencing rapid growth. As a result, operators of these data centers are sometimes getting creative when it comes to using IP addresses. They may move IP addresses between data centers as needed, which may not always be reflected in respective databases.
- VPNs: For VPN users, you will get the IP address of the VPN exit. Sometimes, you may be able to identify the VPN, but this is hit-or-miss. Most commercial VPNs use servers in datacenters. A user using a desktop browser but originating from a datacenter/cloud IP address is likely using a VPN.
To look up the location of an IP address without using a commercial database, "whois" is often used to identify the ISP owning the address. For example, let's pick 70.91.122.90. This IP address was issued to ARIN, which handed Comcast the 70.88.0.0/14 block. Comcast has, in the past, provided more detailed data, but I have not seen this anymore recently.
Your next step should be reverse resolving the IP address. Many ISPs, as you saw for Starlink above, will offer additional details as part of the hostname.
I do like to follow this up with a traceroute. A traceroute will sometimes show the hostnames of routers, which may again include indicators of their location. But this can sometimes be ambiguous.
Let's consider this IP address: 77.35.134.111:
- reverse resolution fails.
- Whois indicates that it is owned by Rosstelecom (Russia) and assigned to "Dynamic Broadband Clients."
- Traceroute: US -> Germany -> Russia. But the traceroute "Peeters out" and the last router has a very high latency (around 300 ms). The address responds to ping with a latency of around 300ms.
- Rostelecom has a looking-glass server: http://lg.ip.rt.ru/ . No real help from it (maybe someone else can get some details from it?)
- MaxMind puts it into Vladivostok, RU. That sort of matches the latency and all.
- Shodan shows the IP address has port 5060 open (SIP), consistent with a broadband modem that also provides VoIP service.
So we have a reasonable case for the address being located in Vladivostok. Or could it be located a few miles further south in North Korea? To double-check, we would have to compare to other Vladivostok IPs to see if they have similar latencies.
2 - Operating System APIs
Most desktop operating systems include geolocation APIs. They may use local WiFi networks, built-in GPS receivers, or for mobile phones, local cell phone towers to determine their location. You will only be able to use this feature while the user is connected to you, and the user will have to allow access to the API. Of course, the user may send whatever location they wish to. But with a collaborating client, this can be very accurate. It works great for mapping. This is one reason why Google recently started using "google.com/maps" for its "Google Maps." Users will gladly give Google Maps access to their location. After all, the map needs to know where you are to give directions. But by using "google.com/maps" instead of "maps.google.com," all "google.com" properties now have access to the user's location after the user gave access to the location on google.com/maps.
Summary
Accurate geolocation is hard without a collaborating user. With many users using mobile devices, VPNs, or even satellite connections, IP addresses are becoming a less reliable source of geolocation information. You should probably not rely on geolocation for security-relevant decisions. Disabling access to your site from certain locations can help "keep the noise down" but is easily bypassed.
Let me know if you encountered any "tricky" IP addresses where you had difficulty geolocating them.
Also, here is a link to a "funny" story about what happens if people rely on geolocation data:
https://arstechnica.com/tech-policy/2016/08/kansas-couple-sues-ip-mapping-firm-for-turning-their-life-into-a-digital-hell/
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Ken
May 11th 2023
1 year ago
Martijn
May 15th 2023
1 year ago
Arelion, formerly Telia Sonera.
Path #1: Received by speaker 0
12389
80.239.128.75 from 80.239.128.75 (188.128.104.51)
Origin IGP, metric 0, localpref 200, valid, external, best, group-best, import-candidate
Communities:
1299:430
(RPKI state Valid)
1299:5009
(Do NOT announce to ANY peer in North America)
1299:7009
(Do NOT announce to ANY peer in Asia)
1299:1000 1299:30000 1299:30200 12332:1000 12332:25001 12332:30800
Looking glass places it in Rostelecom "Far East". AS12389.
"Rostelecom - Far East", the having administrative center in the city of Vladivostok, is created in April, 2011 based on JSC Dalsvyaz after accession of this company to JSC Rostelecom and today integrates seven regional branches – Amur, Kamchatka, Magadan, Seaside, Sakhalin, Khabarovsk and also SakhaTelecom branch.
Martijn
Jun 17th 2023
1 year ago