The topic of finding the location of an IP address has been addressed multiple times in blog posts, Twitter threads and even in one of our webcasts. In this post we’ll talk about IP addresses, what dangers there are when trying to tie them to a location, and what are proper ways to determine a geographic area. Because tying a real world location to an IP address, is not only nearly impossible, it’s also very dangerous as was discussed in this Gizmodo article.
An IP2Geo provider has a database with information on the geographical location of an IP address. Some claim they have very accurate information, but how reliable is this? Let’s have a look at the IP address: 126.96.36.199. We’ll be using the website resolve.rs for this, since they have over 20 IP2Geo providers that they query for a given address. We run a query and we see a lot of differences in the results. At the time of writing this article, the results were confusing to say the least:
- BigDataCloud tells us this IP address is located in Jakarta, Indonesia
- IP-API, ipdata and even Maxmind, claim the IP is based in St.-Petersburg, Russia
- ipgeolocation and radar.io say the location is London, England
- ipapi and ipstack are more specific with the London borough of Islington, England
- IPinsight claims it’s in Amsterdam, the Netherlands.
A service that didn’t show their result on the website, was HostIP.info. After querying them manually the following result came back:
Country: UNITED STATES (US) City: (Unknown city) IP: 188.8.131.52
As you can see, there are a lot of different answers on where this IP address should actually be. There are several reasons for this, but they usually go back to how the IP2Geo provider uses the data that they fetched from the Whois information. They have old data, they process the results incorrectly, or they do not take into consideration that the IP address is of a company that has a physical presence in multiple countries. And it’s even possible that an American company is the owner of a set of IP addresses, a UK company currently uses some, but they have their network operations center in Germany. And it’s possible those three locations are all mentioned in a Whois answer, thus making it very difficult to scrape and parse automatically.
Besides using a IP2Geo service, there’s a different way of finding a possible location of an IP address, by running a traceroute. This is a technique where several data packets are being sent towards a target, while mapping the route this internet traffic takes. By investigating the traffic, and paying attention to the IP addresses it passes, we can map out a route and even plot it on a map. Within Windows there is the tool tracert, and for Linux and macOS the tool traceroute can be run. When running a traceroute to the IP address, we get the following result:
$ traceroute 184.108.40.206 traceroute to 220.127.116.11 (18.104.22.168), 64 hops max, 52 byte packets 1 10.7.2.1 (10.7.2.1) 12.766 ms 5.771 ms 5.499 ms 2 22.214.171.124 (126.96.36.199) 102.204 ms 13.604 ms 7.352 ms 3 188.8.131.52 (184.108.40.206) 6.523 ms 5.682 ms 5.659 ms 4 adm-b1-link.ip.twelve99.net (220.127.116.11) 6.512 ms 6.189 ms 6.491 ms 5 adm-bb4-link.ip.twelve99.net (18.104.22.168) 13.187 ms adm-bb3-link.ip.twelve99.net (22.214.171.124) 13.490 ms 15.009 ms 6 ffm-bb1-link.ip.twelve99.net (126.96.36.199) 13.627 ms prs-bb2-link.ip.twelve99.net (188.8.131.52) 21.899 ms ffm-bb2-link.ip.twelve99.net (184.108.40.206) 14.246 ms 7 ffm-b5-link.ip.twelve99.net (220.127.116.11) 14.189 ms ffm-bb2-link.ip.twelve99.net (18.104.22.168) 20.464 ms ffm-b5-link.ip.twelve99.net (22.214.171.124) 13.883 ms 8 ffm-b5-link.ip.twelve99.net (126.96.36.199) 19.559 ms retn-svc072993-ic360713.ip.twelve99-cust.net (188.8.131.52) 16.676 ms 63.073 ms 9 ae0-2.rt.ir9.ams.nl.retn.net (184.108.40.206) 13.861 ms 12.296 ms 12.555 ms 10 gw-joyfortune.retn.net (220.127.116.11) 12.644 ms 14.030 ms 15.652 ms 11 18.104.22.168 (22.214.171.124) 12.685 ms 12.767 ms 13.054 ms
If we want to find out where the IP address is located, we should pay attention to the last or second last ‘hop’, or individual routing device, before we reach the actual destination. In line number 10 we see the IP address 126.96.36.199 and the name suggests this might actually be a little hop into the Netherlands, judging by the part ‘ams.nl‘ in the name of the device, before it hits one other device that brings us to the IP address. This might already be an indication we’ll end up in the Netherlands.
For this, I’ll be using a so called
ping. A ping is nothing more than a tool that sends out a small request to to a server, with a request to send back an answer straight away. After receiving the answer, it will measure how long it took to receive that specific answer, called the ‘round-trip time‘. There are two very helpful online tools that can help us here. The first one is called https://tools.keycdn.com/ping, and the second one http://ping.pe. Both these sites send out a
ping request from multiple locations, which can help us find out what geographical location responds the fastest. The faster the response, the more physically closer we are to the actual IP address.
As can be seen above, the response from Amsterdam does indeed respond the fastest, giving us enough information to conclude it is most likely an IP address that is located in Amsterdam.
Using a ‘traceroute‘ and ‘ping‘ are the most reliable ways to determine the most probable location of an IP address. Even the APNIC, the regional Internet address registry for the Asia-Pacific region, states in this article that they: “consider the IP in the same economy as the LG if the traceroute confirms a topological proximity“. Any other way of checking the location does not seem to meet their standards. No IP2Geo database in the world will be fool proof, so the only way to find a geographical area is to use basic physics to determine how long it takes for electricity or light to travel to a medium called a ‘network cable‘.