Building network automation solutions

9 module online course

Start now!


  1. It's a fun thing to do, but I wouldn't rely on it for anything serious. Anybody attacking your network is likely:

    A) Spoofing their address, in which case the location information will be wrong; or

    B) Using a botnet, in which case the location you get will be that of the bot, and not the actual attacker.
  2. Also, (at least in Sweden) the location reported will be the location of the owner of the IP, which is usually the ISP ;)
  3. @anonymous: (A) absolutely correct. The source IP address only makes sense if the TCP session is successfully established (= the source is obviously not spoofed), which usually coincides with a log entry on a server.

    (B) Most of the attacks I see in various server logs don't come from bots, but from script kiddies or someone downloading the whole web site content and overloading the server in the process. In both cases the IP address makes sense.

    @Freelancer: Correct. The location reported is whatever the ISP has entered in some database as the location for a particular IP address block. In some cases, it's the ISP's location, in other cases the ISP might have split the address range into regional blocks and registered them properly.
  4. Nevertheless it has a additional business cause - to cut off unwanted traffic based on the country. has a nice article about that. I know of one such production
    implementation , where on the perimeter there is
    a simple layer 3 packet filter IPtables based FW
    that filters out unwanted traffic and thus lowers
    logs clutter/IPS load/management burden.
  5. This is the full URL of the article Yuri is referring to:

  6. here is a good one
  7. Thanks for giving this information. I am searching for how to change the ip address. and also i found a website for chk the ip address from at a free of cost.
Add comment