Using IP geolocation for security

 

I did a stint as a network researcher with Quova back in 2000 -- it was a lot of fun at the time. Quova was (and still is) attempting to map every public IP address to a physical location. There are lots of ways to do this; some of the best macro level resources are the Regional Internet Registries (e.g. RIPE: Réseaux IP Européens, ARIN: American Registry for Internet Numbers, APNIC: Asia Pacific Network Information Centre).

I primarily worked on two things at Quova: checking out route servers using views provided by looking glass servers and writing code to automate IP address harvesting from PoPs (Point-of-Presence). I was also interested in the traceroute results taken from multiple viewpoints throughout the World and seeing which hops were common to particular address ranges.

If you think creatively for a moment, you can imagine there are lots of ways to get lots of information about a single IP address. How about tapping every ISP database (or making a deal with an ISP, which is happening) and obtaining things like the phone number, address, and name of the person 'leasing' a temporary public IP address. Scary eh? For those in the know, you can subvert this pretty easily (e.g. proxies, TOR), but for the vast majority of typical users this is the kind of stuff they don't have a clue is happening.

Anyway, the point of all this is this information can frequently be valuable to a security engineer. Simple things like 'should anyone be successfully VPNing into my network from IP addresses in Denmark?' or 'This customer is attempting to make a online purchase from an IP address in China when their billing address is in Florida, maybe we should perform additional verification'.

Since 2000, lots of companies have popped up to do IP geolocation. If you're interested, here are a few:

 

Posted by tate 02/03/2006 at 19h05

Read full article no comments