Geo location to IP mapping

Martin Hannigan hannigan at
Mon May 15 20:11:13 UTC 2006

At 03:56 PM 5/15/2006, Alexander Harrowell wrote:
>This is a frequent source of silly news stories - viz. the recent 
>one, based on Google Trends, that Birmingham (UK) is the "top city" 
>for porn searches and Brentford (UK) in the top five despite being a 
>small suburb of London. Reason: both are the location of big isp NOCs.

Since you completely ignored the security aspect, I'll address your
reference to Google Trends.

This is what you are probably talking about:

If what you are saying is true, that's some pretty bad
geo-location and YMMV, but what source are you using to
discount Googles numbers?

Are you saying that everyone on all 3 shifts in those "two large NOC's"
are searching for Porn on Google?

Or are you saying that all their
netblocks are in whois and have roles that state their blocks are located
at those NOC's?

If it's the latter, that would support either you being
innacurtae in your assumption about the Trend, or google being wrong. I'd
need more proof that Google is that far off and that it would "appear"
as though they are simply using whois registrations for geo locating
in their Trends product. I'd tend to doubt it. Anything is possible, I


>On 5/15/06, Martin Hannigan 
><<mailto:hannigan at>hannigan at> wrote:
>At 01:56 PM 5/15/2006, 
><mailto:Valdis.Kletnieks at>Valdis.Kletnieks at wrote:
> >On Mon, 15 May 2006 13:14:41 EDT, Bill Nash said:
> > > It works for spammers.
> >
> >Certainly explains all the Turkish spam I get, what with me being
> >just outside Ankara and all.
>That's likely because they are attempting to do some sort
>of location analysis themselves and have limited data to
>work with. Spammers are generally not stupid. They are cheap
>since their ability o generate revenue is randomized based on
>the exploit of the day, so to speak. Targeting you with Turkish
>ads is probably a combination of being cheap and someone possibly
>stupid. Anyhow...before this thread turns into the debacle of
>incorrect information that the NTP one did --
>Typically, an ip address is analyzed by using multiple sources of data.
>An attempt is made at a "triangulation" of sorts with both
>good and bad bits compared. As the good bits build the confidence
>factor in the triangulation rises. So you could have 2 pieces of
>info that do correlate, bring in the whois record, no correlation
>with that, and then toss it and bring something else in. Whois
>accuracy is not a factor here.
>Geo location isn't perfect, but it's not "bad". I've heard of
>accuracy levels as high as 90% and I don't think that's too far
>fetched. With HostIP reporting 50% on the user survey and them being
>what I can demonstrate as "bad", 90% isn't a stretch at all.
>Look at a geo use case. If there were a cyber threat level,
>a defcon so to speak, and the highest level is 5 and we reach this
>level someday, it could be prudent to build filter lists based on geo
>located routing table data and begin to block and log certain sources
>based on the threat level alone. Good geo data makes this entirely feasible.
>Applying this type of thinking to Internet doomsday scenarios
>will be key in survivability, IMHO. If you want every solution
>to be 100%, we're likely to be down for some factor longer than
>we need to be.
>Anyhow, back to your regularly scheduled show. :-)
>Martin Hannigan                                (c) 617-388-2663
>Renesys Corporation                            (w) 617-395-8574
>Member of Technical Staff                      Network Operations
><mailto:hannigan at>hannigan at

Martin Hannigan                                (c) 617-388-2663
Renesys Corporation                            (w) 617-395-8574
Member of Technical Staff                      Network Operations
                                                hannigan at  

More information about the NANOG mailing list