I Know The Country, Town, and City You Are Connecting From (IP Geolocation)

Every browser leaves a log of their public IP address when it connects to any website – if it didn’t, the website would have no idea where to send the requested Web page. What many people do not realize is the tremendous amount that websites can learn about a visitor — instantly — just from their IP address. Remember: IP addresses are not handed out at random. They’re assigned in blocks and publicly registered to specific ISPs or other organizations (universities, governments, corporations, etc.) This IP address registration information is publicly accessible through ARIN and other registrars. WhatIsMyIPAddress.com” is great resource to begin to see what your IP address reveals.

Furthermore, IP addresses have often been put to use geographically over the years. Many independent firms have built up large databases linking countries, states, and cities to particular IP ranges. One method used to create IP-Geolocation databases is through online account registration. For example, when people provide their physical address to a website, the website can easily log their IP address at the time. Do this a few billion times across hundreds of millions of websites and you begin to get a fairly comprehensive association between a physical locations and an IP addresses.

Many IP-Geolocation services, such as MaxMind, are available that allow anyone to query an IP address and receive information about it in return — information such as the country, state/province, city, postal code, and telephone area code for the region, and even latitude and longitude. Many IPs also indicate if the network is a home, university, corporation, government, military, or other type of network.

So unless the browser or network the computer is connecting through is configured to use a proxy, the IP address will reveal a lot. And even if the browser is proxied, that can also be detected. Proxies are often located on well-known IP ranges, so although the website might not know the browser’s real IP address (and by extension the physical location of the computer), it will know that the browser is trying to hide.

Beyond that, as has been repeatedly demonstrated, it is possible for http://maliciouswebsite/ to manipulate a browser and force it to send Internet traffic outside of proxy protection and in that way find its actual IP address. Usually these techniques work by forcing the browser to send non-Web traffic, or by having a Plug-in send traffic that does not utilize the browser proxy configuration.

While these techniques work, they are a little tricky to implement and require http://maliciouswebsite/ to set-up a traffic capturing system that’s a bit difficult. Fortunately — for the attackers, that is — there are far simpler ways websites can circumvent proxy protection to find the browser’s real location and the visitor’s identity. Yes, even when using something like Tor. I’ll explain how in later sections.


I Know…

This entry was posted in Web Application Security on by .

About Jeremiah Grossman

Jeremiah Grossman is the Founder of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Over the last decade, Jeremiah has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. As a well-known security expert and industry veteran, Jeremiah has been a guest speaker on six continents at hundreds of events including TED, BlackHat Briefings, RSA, SANS, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, and UCLA. Jeremiah is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. He serves on the advisory board of two hot start-ups, Risk I/O and SD Elements, and is a Brazilian Jiu-Jitsu Black Belt. Before founding WhiteHat, he was an information security officer at Yahoo! Jeremiah can be found on Twitter @jeremiahg.