IP address lookup

Someone recently asked me how to get the physical location of an IP address. One of the better (free) services available on the Internet is the IP2Location (demo) service.

This feature might come handy if you're trying to figure out who's attacking your application servers (when the TCP session has already been established). Denial-of-service attacks commonly use fake source IP addresses.

Recent posts in the same categories

7 comments:

  1. Anonymous 22 October 2008 16:01
    It's a fun thing to do, but I wouldn't rely on it for anything serious. Anybody attacking your network is likely:

    A) Spoofing their address, in which case the location information will be wrong; or

    B) Using a botnet, in which case the location you get will be that of the bot, and not the actual attacker.
  2. Anonymous 22 October 2008 19:55
    Also, (at least in Sweden) the location reported will be the location of the owner of the IP, which is usually the ISP ;)
  3. Ivan Pepelnjak 22 October 2008 20:17
    @anonymous: (A) absolutely correct. The source IP address only makes sense if the TCP session is successfully established (= the source is obviously not spoofed), which usually coincides with a log entry on a server.

    (B) Most of the attacks I see in various server logs don't come from bots, but from script kiddies or someone downloading the whole web site content and overloading the server in the process. In both cases the IP address makes sense.

    @Freelancer: Correct. The location reported is whatever the ISP has entered in some database as the location for a particular IP address block. In some cases, it's the ISP's location, in other cases the ISP might have split the address range into regional blocks and registered them properly.
  4. Unknown 25 October 2008 17:50
    Nevertheless it has a additional business cause - to cut off unwanted traffic based on the country. securityfocus.com/infocus has a nice article about that. I know of one such production
    implementation , where on the perimeter there is
    a simple layer 3 packet filter IPtables based FW
    that filters out unwanted traffic and thus lowers
    logs clutter/IPS load/management burden.
  5. Ivan Pepelnjak 25 October 2008 18:14
    This is the full URL of the article Yuri is referring to:

    http://www.securityfocus.com/infocus/1900

    Thanks!
  6. Anonymous 03 November 2008 16:20
    here is a good one http://www.statsreview.com
  7. radha65 23 July 2009 13:30
    Thanks for giving this information. I am searching for how to change the ip address. and also i found a website for chk the ip address from http://www.ip-details.com/ at a free of cost.
Add comment
Home
Sidebar