IP address lookup

Someone recently asked me how to get the physical location of an IP address. One of the better (free) services available on the Internet is the IP2Location (demo) service.

This feature might come handy if you're trying to figure out who's attacking your application servers (when the TCP session has already been established). Denial-of-service attacks commonly use fake source IP addresses.

7 comments:

  1. It's a fun thing to do, but I wouldn't rely on it for anything serious. Anybody attacking your network is likely:

    A) Spoofing their address, in which case the location information will be wrong; or

    B) Using a botnet, in which case the location you get will be that of the bot, and not the actual attacker.

    ReplyDelete
  2. Also, (at least in Sweden) the location reported will be the location of the owner of the IP, which is usually the ISP ;)

    ReplyDelete
  3. @anonymous: (A) absolutely correct. The source IP address only makes sense if the TCP session is successfully established (= the source is obviously not spoofed), which usually coincides with a log entry on a server.

    (B) Most of the attacks I see in various server logs don't come from bots, but from script kiddies or someone downloading the whole web site content and overloading the server in the process. In both cases the IP address makes sense.

    @Freelancer: Correct. The location reported is whatever the ISP has entered in some database as the location for a particular IP address block. In some cases, it's the ISP's location, in other cases the ISP might have split the address range into regional blocks and registered them properly.

    ReplyDelete
  4. Nevertheless it has a additional business cause - to cut off unwanted traffic based on the country. securityfocus.com/infocus has a nice article about that. I know of one such production
    implementation , where on the perimeter there is
    a simple layer 3 packet filter IPtables based FW
    that filters out unwanted traffic and thus lowers
    logs clutter/IPS load/management burden.

    ReplyDelete
  5. This is the full URL of the article Yuri is referring to:

    http://www.securityfocus.com/infocus/1900

    Thanks!

    ReplyDelete
  6. here is a good one http://www.statsreview.com

    ReplyDelete
  7. Thanks for giving this information. I am searching for how to change the ip address. and also i found a website for chk the ip address from http://www.ip-details.com/ at a free of cost.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.