Web Application Security

I Know The Country, Town, and City You Are Connecting From (IP Geolocation)

Every browser leaves a log of their public IP address when it connects to any website – if it didn’t, the website would have no idea where to send the requested Web page. What many people do not realize is the tremendous amount that websites can learn about a visitor — instantly — just from their IP address. Remember: IP addresses are not handed out at random. They’re assigned in blocks and publicly registered to specific ISPs or other organizations (universities, governments, corporations, etc.) This IP address registration information is publicly accessible through ARIN and other registrars. WhatIsMyIPAddress.com” is great resource to begin to see what your IP address reveals.

Furthermore, IP addresses have often been put to use geographically over the years. Many independent firms have built up large databases linking countries, states, and cities to particular IP ranges. One method used to create IP-Geolocation databases is through online account registration. For example, when people provide their physical address to a website, the website can easily log their IP address at the time. Do this a few billion times across hundreds of millions of websites and you begin to get a fairly comprehensive association between a physical locations and an IP addresses.

Many IP-Geolocation services, such as MaxMind, are available that allow anyone to query an IP address and receive information about it in return — information such as the country, state/province, city, postal code, and telephone area code for the region, and even latitude and longitude. Many IPs also indicate if the network is a home, university, corporation, government, military, or other type of network.

So unless the browser or network the computer is connecting through is configured to use a proxy, the IP address will reveal a lot. And even if the browser is proxied, that can also be detected. Proxies are often located on well-known IP ranges, so although the website might not know the browser’s real IP address (and by extension the physical location of the computer), it will know that the browser is trying to hide.

Beyond that, as has been repeatedly demonstrated, it is possible for http://maliciouswebsite/ to manipulate a browser and force it to send Internet traffic outside of proxy protection and in that way find its actual IP address. Usually these techniques work by forcing the browser to send non-Web traffic, or by having a Plug-in send traffic that does not utilize the browser proxy configuration.

While these techniques work, they are a little tricky to implement and require http://maliciouswebsite/ to set-up a traffic capturing system that’s a bit difficult. Fortunately — for the attackers, that is — there are far simpler ways websites can circumvent proxy protection to find the browser’s real location and the visitor’s identity. Yes, even when using something like Tor. I’ll explain how in later sections.


I Know…