Last Updated: 2023-05-11 13:33:32 UTC
by Johannes Ullrich (Version: 1)
There are several resources available that assist in geolocating IP addresses. Commercial offerings like MaxMind (which also offers a free database) have a pretty good track record in locating a particular IP address. But still, there are several difficulties when it comes to IP address-based geolocation.
First, let's look at some of the options to geolocate a computer. There are two basic methods that can be used:
1 - Geolocation By IP Address
This is probably the simplest method as it does not require a "cooperating client" (more about that later). It may also be performed after the fact on log entries, which other methods do not allow. You will typically rely on geolocation databases. These databases can be reasonably accurate if the information ISP provide is accurate.
Common problem cases:
- Mobile phones: Mobile operators commonly use "Carrier Grade NAT (cgNAT)." The user's IP address may change very frequently, and the granularity of the information is limited by the design of the mobile operator's network. Many have multiple gateways that may correlate with certain geographic regions. Theoretically, the operator may use only one gateway globally.
- Sattelite connections: It should be obvious that for satellite connections, all bets are off as to the user's geographic location. For traditional satellite operators like ViaSat and Hughes, only a few satellites are used for all users globally, making geolocation impossible. For news large constellations, like Starlink, some regional information may be available. A particular satellite typically will cover a particular region of the globe and relay traffic to a base station close to the user. But this information is still not very granular. For Starlink, the hostname the IP resolves to includes the name of the "Point of Presence" (POP). For example, 220.127.116.11 is the IP address that was used for the hotel at our SANS event in Orlando this spring. It resolves to: customer.atlagax1.pop.starlinkisp.net, indicating that this connection may have used a POP in Atlanta, GA. Close, but still a different state. MaxMind also uses Atlanta, GA, as the location for this IP address.
- Datacenters/Cloud: Currently, data centers providing cloud services are experiencing rapid growth. As a result, operators of these data centers are sometimes getting creative when it comes to using IP addresses. They may move IP addresses between data centers as needed, which may not always be reflected in respective databases.
- VPNs: For VPN users, you will get the IP address of the VPN exit. Sometimes, you may be able to identify the VPN, but this is hit-or-miss. Most commercial VPNs use servers in datacenters. A user using a desktop browser but originating from a datacenter/cloud IP address is likely using a VPN.
To look up the location of an IP address without using a commercial database, "whois" is often used to identify the ISP owning the address. For example, let's pick 18.104.22.168. This IP address was issued to ARIN, which handed Comcast the 22.214.171.124/14 block. Comcast has, in the past, provided more detailed data, but I have not seen this anymore recently.
Your next step should be reverse resolving the IP address. Many ISPs, as you saw for Starlink above, will offer additional details as part of the hostname.
I do like to follow this up with a traceroute. A traceroute will sometimes show the hostnames of routers, which may again include indicators of their location. But this can sometimes be ambiguous.
Let's consider this IP address: 126.96.36.199:
- reverse resolution fails.
- Whois indicates that it is owned by Rosstelecom (Russia) and assigned to "Dynamic Broadband Clients."
- Traceroute: US -> Germany -> Russia. But the traceroute "Peeters out" and the last router has a very high latency (around 300 ms). The address responds to ping with a latency of around 300ms.
- Rostelecom has a looking-glass server: http://lg.ip.rt.ru/ . No real help from it (maybe someone else can get some details from it?)
- MaxMind puts it into Vladivostok, RU. That sort of matches the latency and all.
- Shodan shows the IP address has port 5060 open (SIP), consistent with a broadband modem that also provides VoIP service.
So we have a reasonable case for the address being located in Vladivostok. Or could it be located a few miles further south in North Korea? To double-check, we would have to compare to other Vladivostok IPs to see if they have similar latencies.
2 - Operating System APIs
Most desktop operating systems include geolocation APIs. They may use local WiFi networks, built-in GPS receivers, or for mobile phones, local cell phone towers to determine their location. You will only be able to use this feature while the user is connected to you, and the user will have to allow access to the API. Of course, the user may send whatever location they wish to. But with a collaborating client, this can be very accurate. It works great for mapping. This is one reason why Google recently started using "google.com/maps" for its "Google Maps." Users will gladly give Google Maps access to their location. After all, the map needs to know where you are to give directions. But by using "google.com/maps" instead of "maps.google.com," all "google.com" properties now have access to the user's location after the user gave access to the location on google.com/maps.
Accurate geolocation is hard without a collaborating user. With many users using mobile devices, VPNs, or even satellite connections, IP addresses are becoming a less reliable source of geolocation information. You should probably not rely on geolocation for security-relevant decisions. Disabling access to your site from certain locations can help "keep the noise down" but is easily bypassed.
Let me know if you encountered any "tricky" IP addresses where you had difficulty geolocating them.
Also, here is a link to a "funny" story about what happens if people rely on geolocation data: