Geo location to IP mapping

Martin Hannigan hannigan at renesys.com
Mon May 15 19:44:48 UTC 2006 

At 01:56 PM 5/15/2006, Valdis.Kletnieks at vt.edu wrote:


>On Mon, 15 May 2006 13:14:41 EDT, Bill Nash said:
> > It works for spammers.
>
>Certainly explains all the Turkish spam I get, what with me being
>just outside Ankara and all.


That's likely because they are attempting to do some sort
of location analysis themselves and have limited data to
work with. Spammers are generally not stupid. They are cheap
since their ability o generate revenue is randomized based on
the exploit of the day, so to speak. Targeting you with Turkish
ads is probably a combination of being cheap and someone possibly
stupid. Anyhow...before this thread turns into the debacle of
incorrect information that the NTP one did --

Typically, an ip address is analyzed by using multiple sources of data.
An attempt is made at a "triangulation" of sorts with both
good and bad bits compared. As the good bits build the confidence
factor in the triangulation rises. So you could have 2 pieces of
info that do correlate, bring in the whois record, no correlation
with that, and then toss it and bring something else in. Whois
accuracy is not a factor here.

Geo location isn't perfect, but it's not "bad". I've heard of
accuracy levels as high as 90% and I don't think that's too far
fetched. With HostIP reporting 50% on the user survey and them being
what I can demonstrate as "bad", 90% isn't a stretch at all.

Look at a geo use case. If there were a cyber threat level,
a defcon so to speak, and the highest level is 5 and we reach this
level someday, it could be prudent to build filter lists based on geo
located routing table data and begin to block and log certain sources
based on the threat level alone. Good geo data makes this entirely feasible.

Applying this type of thinking to Internet doomsday scenarios
will be key in survivability, IMHO. If you want every solution
to be 100%, we're likely to be down for some factor longer than
we need to be.

Anyhow, back to your regularly scheduled show. :-)

-M<





--
Martin Hannigan                                (c) 617-388-2663
Renesys Corporation                            (w) 617-395-8574
Member of Technical Staff                      Network Operations
                                                hannigan at renesys.com

More information about the NANOG mailing list