North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Geo location to IP mapping

  • From: Martin Hannigan
  • Date: Mon May 15 16:12:27 2006

At 03:56 PM 5/15/2006, Alexander Harrowell wrote:
This is a frequent source of silly news stories - viz. the recent one, based on Google Trends, that Birmingham (UK) is the "top city" for porn searches and Brentford (UK) in the top five despite being a small suburb of London. Reason: both are the location of big isp NOCs.
Since you completely ignored the security aspect, I'll address your
reference to Google Trends.

This is what you are probably talking about:

If what you are saying is true, that's some pretty bad
geo-location and YMMV, but what source are you using to
discount Googles numbers?

Are you saying that everyone on all 3 shifts in those "two large NOC's"
are searching for Porn on Google?

Or are you saying that all their
netblocks are in whois and have roles that state their blocks are located
at those NOC's?

If it's the latter, that would support either you being
innacurtae in your assumption about the Trend, or google being wrong. I'd
need more proof that Google is that far off and that it would "appear"
as though they are simply using whois registrations for geo locating
in their Trends product. I'd tend to doubt it. Anything is possible, I


On 5/15/06, Martin Hannigan <<mailto:[email protected]>[email protected]> wrote:

At 01:56 PM 5/15/2006, <mailto:[email protected]>[email protected] wrote:

>On Mon, 15 May 2006 13:14:41 EDT, Bill Nash said:
> > It works for spammers.
>Certainly explains all the Turkish spam I get, what with me being
>just outside Ankara and all.

That's likely because they are attempting to do some sort
of location analysis themselves and have limited data to
work with. Spammers are generally not stupid. They are cheap
since their ability o generate revenue is randomized based on
the exploit of the day, so to speak. Targeting you with Turkish
ads is probably a combination of being cheap and someone possibly
stupid. Anyhow...before this thread turns into the debacle of
incorrect information that the NTP one did --

Typically, an ip address is analyzed by using multiple sources of data.
An attempt is made at a "triangulation" of sorts with both
good and bad bits compared. As the good bits build the confidence
factor in the triangulation rises. So you could have 2 pieces of
info that do correlate, bring in the whois record, no correlation
with that, and then toss it and bring something else in. Whois
accuracy is not a factor here.

Geo location isn't perfect, but it's not "bad". I've heard of
accuracy levels as high as 90% and I don't think that's too far
fetched. With HostIP reporting 50% on the user survey and them being
what I can demonstrate as "bad", 90% isn't a stretch at all.

Look at a geo use case. If there were a cyber threat level,
a defcon so to speak, and the highest level is 5 and we reach this
level someday, it could be prudent to build filter lists based on geo
located routing table data and begin to block and log certain sources
based on the threat level alone. Good geo data makes this entirely feasible.

Applying this type of thinking to Internet doomsday scenarios
will be key in survivability, IMHO. If you want every solution
to be 100%, we're likely to be down for some factor longer than
we need to be.

Anyhow, back to your regularly scheduled show. :-)


Martin Hannigan (c) 617-388-2663
Renesys Corporation (w) 617-395-8574
Member of Technical Staff Network Operations

<mailto:[email protected]>[email protected]

Martin Hannigan (c) 617-388-2663
Renesys Corporation (w) 617-395-8574
Member of Technical Staff Network Operations
[email protected]