While I did my thesis on this topic back in 2001, I haven’t used the knowledge or skills I gained from it much – or really at all. But I think it’s an interesting topic, and one that security folks and system administrators should at least be passingly familiar with. The technology has certainly changed since I did my thesis.
When you look at an IP address or even domain name in your logs – where is that person coming from? You might need to know for forensics purposes, or even “cyberwarfare” purposes. Keep in mind that spoofing an IP address isn’t rocket science, and just knowing if the IP address in your logs is the one doing the activity isn’t guaranteed. However… TCP traffic has a handshake, and in order for the replies to get somewhere, there has to be a valid “other end” of the connection. That IP address has to be a part of the connection for anything that needs replies (UDP traffic and DDoS? you’re on your own). The attacker may be using a bot net or another compromised machine, so just knowing the location of the IP address doesn’t give you the attacker (or file downloader….)
Used to be you could make a really good guess at the location of an IP address based on a traceroute and noticing the routers that the traceroute went through. You *might* get that information now – depends on if the backbone routers have ICMP turned off (most don’t) and how many hops you go through. If you’re going to an IP on the same backbone provider (or a very well connected provider like Google), you won’t get much information from traceroute. However, it’s a good first start.
WHOIS may also be another helpful tool. whois IPaddress will return different information than whois domainname. The returned information will show who owns that IP address according to the RIRs (ARIN/RIPE). Now, still not going to get you a jackpot every time, but it might. If the IP address belongs to a large organization who has its own IP address space assigned, you’ll have at least the company (and maybe the location, depending on how the company assigns IP addresses). You may also run into another wall if the whois search returns an ISP or hosting provider.
At this point, you’re slowly running out of free options. There are several companies who specialize in geolocation and are happy to sell you the information, which is how most web sites and services find that out (except mobile devices, which are a whole ‘nother ballgame). One service does provide a free database with less accuracy: http://ipinfodb.com/ It reliably figured out most of the IP addresses I tossed at it.
The big databases are put together in several ways: negotiating with ISPs and hosting providers to get the internal information (what dynamic IP space is assigned to the DC area vs the NY area), and just plain old brute work. Anyone remember several of the web sites that’d ask you where you were located??? Guess who ran those, and where that data is now.