FRESH

Hacker News

Home

We have ipinfo at home or how to geolocate IPs in your CLI using latency

226 points by jimaek

by jimaek

3 subcomments

This is a little project exploring the feasibility of using a service such as Globalping for geo location needs.
I had fun making it but please note that the current implementation is just a demo and far from a proper production tool.
If you really want to use it then for best possible results you need at least 500 probes per phase.
It could be optimized fairly easily but not without going over the anon user limit which I tried to avoid

by jurgenaut23

1 subcomments

Congrats on doing it without AI! Just reading your crappy one-word commit messages make me happy.

by greyface-

7 subcomments

How feasible would it be for the host under measurement to introduce additional artificial latency to ping responses, varying based on source IP, in order to spoof its measured location?

by Havoc

4 subcomments

Bit surprised this works. Latency variability is huge and sometimes quite disconnected from geo location. I recall talking to someone in NL and realised I've got better latency to NL content from the UK than he did. Presumably better peering etc.

by lopoc

2 subcomments

Nice work! I presented similar research at DEFCON 31 - 'You Can't Cheat Time: Finding foes and yourself with latency trilateration' https://youtu.be/_iAffzWxexA
though with some key differences that address the limitations mentioned in the thread. The main issue with pure ping-based geolocation is that: IPs are already geolocated in databases (as you note) Routing asymmetries break the distance model Anycast/CDNs make single IPs appear in multiple locations ICMP can be blocked or deprioritized My approach used HTTP(S) latency measurements (not ping) with an ML model (SVR) trained on ~39k datapoints to handle internet routing non-linearity, then performed trilateration via optimization. Accuracy was ~600km for targets behind CloudFront - not precise, but enough to narrow attribution from "anywhere" to "probably Europe" for C2 servers. The real value isn't precision but rather: Detecting sandboxes via physically impossible latency patterns Enabling geo-fenced malware Providing any location signal when traditional IP geolocation fails Talk: https://youtu.be/_iAffzWxexA"

by reincoder

0 subcomment

Thank you, Dimitry. Everyone at IPinfo really appreciates the shoutout!
---
Our research scientist, Calvin, will be giving a talk at NANOG96 on Monday that delves into active measurement-based IP geolocation.
https://nanog.org/events/nanog-96/content/5678/

by westurner

0 subcomment

Wi-FI RTT is more accurate than trilateration with RSSI but requires hw support.
IEEE 802.11mc > Wi-Fi Round Trip Time (RTT) https://en.wikipedia.org/wiki/IEEE_802.11mc#Wi-Fi_Round_Trip...
/? fine time measurement FTM: https://www.google.com/search?q=fine+time+measurement+FTM

by lpapez

0 subcomment

Amazing idea and execution, the sort of stuff I wish there was more of on HN.

by VladVladikoff

2 subcomments

If I understood the post the author just takes the location of smallest ping as the winner. This seems like a very rudimentary approach. Why not do triangulation? If you take each ping time as a measurement of distance between two points, you should be able to ping from a random selection of IPs and from there calculate the location.

by 29athrowaway

0 subcomment

If you like this topic, read "The Cuckoo's Egg" (1989) by Clifford Stoll

by tallytarik

1 subcomments

Great post and a great little tool. Some of my experience using these techniques in production:
1. Trilateration mostly doesn't work with internet routing, unlike GPS. Other commenters have covered this in more detail. So the approach described here - to take the closest single measurement - is often the best you can do without prior data. This means you need a crazy high distribution of nodes across cities to get useful data at scale. We run our own servers and also sponsor Globalping and use RIPE Atlas for some measurements (I work for a geo data provider), yet even with thousands of available probes, we can only accurately infer latency-based location for IPs very close to those probes.
2. As such, latency/traceroute measurements are most useful for verifying existing location data. That means for the vast majority of IP space, we rely on having something to compare against.
3. Traceroute hops are good; the caveat being that you're geolocating a router. RIPE IPmap already locates most public routers with good precision.
4. Overall these techniques work quite well for infrastructure and server IP addresses but less so for eyeball networks.
https://ping.sx is also a nice comparison tool

by xyst

1 subcomments

Tried with an IP allocated to a major wireless network operator. It was far off but also ran out of credits when trying with higher limits on subsequent attempts.
Seems tool is relying on ICMP results from various probes. So wouldn't this project become useless if target device disables ICMP?
I wonder if you can "fake" results by having your gateway/device respond with fake ICMP requests.

by navigate8310

1 subcomments

> Globalping is an open-source, community-powered project that allows users to self-host container-based probes. These probes then become part of our public network, which allows anyone to use them to run network testing tools such as ping and traceroute.
How's this different from RIPE ATLAS?

by jacquesm

1 subcomments

It'd be clever to integrate this into the TCP stack so it tells you immediately what the lowest bound is on the distance to the counterparty based on the time between data sent and the corresponding acknowledgements. I can see some immediate applications for that.

by tgtweak

0 subcomment

You can extend this by looking at the IP route for the reverse path, I've found it's usually accurate to the state at least on the last hop before destination - added benefit that there's usually an airport or city code on the fqdn of that hop.

by navigate8310

1 subcomments

> Group and sort the results; the country with the lowest latency should be the correct one
Sometimes residential ISPs (that hosts the probe) may have a bad routing due to many factors, how does the algorithm take that into account?

by nickorlow

0 subcomment

Wonder if you can do this with mobile phones by timing the time to the first ring?

by DenisDolya

0 subcomment

Wow, it works !

by maximgeorge

0 subcomment

[dead]