Advanced Geolocation of IP Addresses
Authors: Robert Koch, Mario Golling, Gabi Dreo Rodosek
Abstract:
Tracing and locating the geographical location of users (Geolocation) is used extensively in todays Internet. Whenever we, e.g., request a page from google we are - unless there was a specific configuration made - automatically forwarded to the page with the relevant language and amongst others, dependent on our location identified, specific commercials are presented. Especially within the area of Network Security, Geolocation has a significant impact. Because of the way the Internet works, attacks can be executed from almost everywhere. Therefore, for an attribution, knowledge of the origination of an attack - and thus Geolocation - is mandatory in order to be able to trace back an attacker. In addition, Geolocation can also be used very successfully to increase the security of a network during operation (i.e. before an intrusion actually has taken place). Similar to greylisting in emails, Geolocation allows to (i) correlate attacks detected with new connections and (ii) as a consequence to classify traffic a priori as more suspicious (thus particularly allowing to inspect this traffic in more detail). Although numerous techniques for Geolocation are existing, each strategy is subject to certain restrictions. Following the ideas of Endo et al., this publication tries to overcome these shortcomings with a combined solution of different methods to allow improved and optimized Geolocation. Thus, we present our architecture for improved Geolocation, by designing a new algorithm, which combines several Geolocation techniques to increase the accuracy.
Keywords: IP geolocation, prosecution of computer fraud, attack attribution, target-analysis
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1086621
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 4725References:
[1] T. Lewis, “Index,” Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation, pp. 463–474, 2006.
[2] Symantec, “Symantec 2011 SMB Disaster Preparedness Survey - Global Results,” 2011, http://www.symantec.com/content/en/us/about/ media/pdfs/symc 2011 SMB DP Survey Report Global.pdf.
[3] Mandiant, “APT1 - Exposing One of Chinas Cyber Espionage Units,” 2013, http://intelreport.mandiant.com/Mandiant APT1 Report.pdf.
[4] Chen Jie, Ministry of National Defense, The People’s Republic of China, “China has no cyber warfare troops: spokesman,” 2013, http://eng.mod. gov.cn/Press/2013-03/01/content 4434894.htm.
[5] Lana Lam, South China Morning Post, “Edward Snowden: US government has been hacking Hong Kong and China for years,” 2013, http://www.scmp.com/news/hong-kong/article/1259508/ edward-snowden-us-government-has-been-hacking-hong-kong-and-china.
[6] M. Roesch et al., “Snort-lightweight intrusion detection for networks,” in Proceedings of the 13th USENIX conference on System administration. Seattle, Washington, 1999, pp. 229–238.
[7] J. Quittek, T. Zseby, B. Claise, and S. Zander, “Requirements for ip flow information export (ipfix),” IETF RFC3917, Oct, 2004.
[8] A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, and B. Stiller, “An overview of ip flow-based intrusion detection,” Communications Surveys & Tutorials, IEEE, vol. 12, no. 3, pp. 343–356, 2010.
[9] P. Endo and D. Sadok, “Whois based geolocation: A strategy to geolocate internet hosts,” in Advanced Information Networking and Applications (AINA), 2010 24th IEEE International Conference on. IEEE, 2010, pp. 408–413.
[10] A. Dahnert, “Hawkeyes: an advanced ip geolocation approach: Ip geolocation using semantic and measurement based techniques,” in Cybersecurity Summit (WCS), 2011 Second Worldwide. IEEE, 2011, pp. 1–3.
[11] S. Laki, P. M´atray, P. H´aga, T. Sebok, I. Csabai, and G. Vattay, “Spotter: A model based active geolocation service,” in INFOCOM, 2011 Proceedings IEEE. IEEE, 2011, pp. 3173–3181.
[12] V. Padmanabhan and L. Subramanian, “An investigation of geographic mapping techniques for internet hosts,” in ACM SIGCOMM Computer Communication Review, vol. 31. ACM, 2001, pp. 173–185.
[13] A. Ziviani, S. Fdida, J. de Rezende, and O. Duarte, “Improving the accuracy of measurement-based geographic location of internet hosts,” Computer Networks, vol. 47, no. 4, pp. 503–523, 2005.
[14] M. Zhang, Y. Ruan, V. Pai, and J. Rexford, “How dns misnaming distorts internet topology mapping,” in Proceedings of the annual conference on USENIX’06 Annual Technical Conference, 2006.
[15] B. Gueye, A. Ziviani, M. Crovella, and S. Fdida, “Constraint-based geolocation of internet hosts,” in Proceedings of the 4th ACM SIGCOMM conference on Internet measurement. ACM, 2004, pp. 288–293.
[16] B. Gueye, S. Uhlig, A. Ziviani, and S. Fdida, “Leveraging buffering delay estimation for geolocation of internet hosts,” NETWORKING 2006. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems, pp. 319–330, 2006.
[17] B. Wong, I. Stoyanov, and E. Sirer, “Octant: A comprehensive framework for the geolocalization of internet hosts,” in Proceedings of the NSDI, vol. 7, 2007.
[18] D. Moore, R. Periakaruppan, J. Donohoe, and K. Claffy, “Where in the world is netgeo. caida. org.” INET, 2000.
[19] “Cooperative Association for Internet Data Analysis. NetGeo.” http:// www.caida.org/tools/utilities/netgeo/.
[20] Jgsoft Associates, “IP2Geo: Frequently Asked Questions, How accurate is IP-Country-Region-City-ISP database?” 2013, http://www.ip2geo.net/ ip2location/ip-country-region-city-isp-faq.html.
[21] B. Wong, I. Stoyanov, and E. G. Sirer, “Geolocalization on the internet through constraint satisfaction,” in Proceedings of the 3rd conference on USENIX Workshop on Real, Large Distributed Systems, 2006, pp. 1–1.
[22] C. Guo, Y. Liu, W. Shen, H. J. Wang, Q. Yu, and Y. Zhang, “Mining the web and the internet for accurate ip address geolocations,” in INFOCOM 2009, IEEE. IEEE, 2009, pp. 2841–2845.
[23] I. Poese, M. A. Kaafar, B. Donnet, B. Gueye, and S. Uhlig, “Ip geolocation databases: Unreliable?” Deutsche Telekom Lab./TU Berlin, Technical Report, March 2011.
[24] S. Laki, P. M´atray, P. H´aga, I. Csabai, and G. Vattay, “A model based approach for improving router geolocation,” Computer Networks, vol. 54, no. 9, pp. 1490–1501, 2010.
[25] B. Huffaker, M. Fomenkov, and K. Claffy, “Geocompare: a comparison of public and commercial geolocation databases,” Technical Report, May 2011, network, Mapping and Measurement Conference (NMMC).
[26] S. S. Siwpersad, B. Gueye, and S. Uhlig, “Assessing the geographic resolution of exhaustive tabulation for geolocating internet hosts,” in Passive and Active Network Measurement Workshop (PAM). Springer- Verlag, 2008, pp. 11 – 20.
[27] Y. Shavitt and N. Zilberman, “A study of geolocation databases,” School of Electrical Engineering, Technical Report, July 2010.
[28] M. Dischinger, A. Haeberlen, K. Gummadi, and S. Saroiu, “Characterizing residential broadband networks,” IMC, Technical Report, 2007.
[29] K. Gottschalk, “NeedMoreCookies: The Funstuff Crawler,” Website, http://needmorecookies.com/.
[30] K. G. Lars Stiemert, “Geolocalization and Verification of IPAdresses; German: Geolokalisation und Verifikation von IPAdressen,” Master’s thesis, Institut f¨ur Technische Informatik, Universitt der Bundeswehr Mnchen, Germany, 2012. (Online). Available: https://www.unibw.de/inf3/forschung/dreo/publikationen/ ba-und-ma/2012 Stiemert-Gottschalk Geolokalisation.pdf