[ARGUS] Destination Country

Russell Fulton r.fulton at auckland.ac.nz
Tue Mar 15 14:19:50 EDT 2022 

Geolocation of IP addresses is fraught with problems and sometimes outfits like Maxmind get it wrong.  They openly admit this and there is a link on their main page to report problems.   Mostly errors are not at the country level but at the city level.

Whois is is not a good way to locate IP address as this information is administrative -- it gives the address of the owner of the address block which may actually be split into several different AS.  Large transnational organisations will have the head office listed in whois but the IPs are in use all over the world.

If I have doubts about a the location of a particular IP address I normally do a traceroute and look up the hops immediately before the target.

In New Zealand the maxmind city level data is very unreliable as the ISP use blocks that cover large geographic area.  Even in the cities it is unreliable.  I am in Auckland and I have a static IP address which has not changed for nearly 10 years.  But, at various times, it has been geolocated in several different cities.  Most of last year maxmind put me in Rotorua which is several hundred miles away. I noticed when I started getting advertising for stuff in Rotorua.

I do security for a large University and i deal with geolocation data every day but i never trust results individual IPs without collaborating evidence.

Russell at fulton.nz

On 16/03/2022, at 6:42 AM, Dave <dedelman at iname.com> wrote:

 The simple solution is whois which tells you that:

whois 141.226.224.48<http://141.226.224.48>
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org<http://www.iana.org>
% This query returned 1 object

refer:        whois.ripe.net<http://whois.ripe.net>

inetnum:      141.0.0.0<http://141.0.0.0> - 141.255.255.255<http://141.255.255.255>
organisation: Administered by RIPE NCC
status:       LEGACY

whois:        whois.ripe.net<http://whois.ripe.net>

changed:      1993-05
source:       IANA

# whois.ripe.net<http://whois.ripe.net>

inetnum:        141.226.224.0<http://141.226.224.0> - 141.226.224.255<http://141.226.224.255>
netname:        Taboola
country:        US
admin-c:        RS19602-RIPE
tech-c:         RS19602-RIPE
status:         LEGACY
mnt-by:         TABOOLA-MNT-RIPE
created:        2016-08-11T07:55:18Z
last-modified:  2016-08-11T07:55:18Z
source:         RIPE

person:         Rom Shahak
address:        Tozeret Haaretz 7, Tel Aviv, Israel
phone:          +972-3-696-6966
nic-hdl:        RS19602-RIPE
mnt-by:         TABOOLA-MNT-RIPE
created:        2015-06-24T10:07:00Z
last-modified:  2015-06-24T10:07:00Z
source:         RIPE # Filtered

% Information related to '141.226.224.0/24AS200478<http://141.226.224.0/24AS200478>'

route:          141.226.224.0/24<http://141.226.224.0/24>
descr:          network
origin:         AS200478
mnt-by:         TABOOLA-MNT-RIPE
created:        2016-06-02T18:56:01Z
last-modified:  2016-06-02T18:56:01Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.102.2 (WAGYU)


It is IL

—Dave

On Mar 15, 2022, at 1:17 PM, Monah Baki <monahbaki at gmail.com<mailto:monahbaki at gmail.com>> wrote:

Hi Carter,

It says IL, but so many other online tools say US, not sure which to trust. Need to submit a report and don't want to give false info.


Thanks
Monah

On Tue, Mar 15, 2022 at 1:08 PM Carter Bullard <carter at qosient.com<mailto:carter at qosient.com>> wrote:
Hey Mona,
Its a pretty simple lookup, so fgrep for 141.226.224 in the delegated-ipv4-latest file to see what the data sez …

Carter

> On Mar 15, 2022, at 12:38 PM, Monah Baki <monahbaki at gmail.com<mailto:monahbaki at gmail.com>> wrote:
>
> Hi everyone,
>
> I updated my ragetcountry.sh just now and sw the following:
>
>          StartTime  Proto            SrcAddr  Sport            DstAddr  Dport  Trans                srcUdata                                dstUdata                 sCo dCo
> 16:21:44.592508    tcp      192.168.2.168.57492      141.226.224.48.https       1 s[30]=...........b0..2.....R.oe'3...                                             ZZ  IL
>
>
> Destination says Israel but
> geoiplookup 141.226.224.48<http://141.226.224.48>
> GeoIP Country Edition: US, United States
>
>
> Searching other online resources says the IP address is US.
>
>
> Thanks
> Monah
> _______________________________________________
> argus mailing list
> argus at qosient.com<mailto:argus at qosient.com>
> https://pairlist1.pair.net/mailman/listinfo/argus<https://pairlist1.pair.net/mailman/listinfo/argus>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20220315/eafa7a2e/attachment-0001.htm>

More information about the argus mailing list