IP location, GeoIP or Geolocalization are terms used to describe techniques to assign geographic locations to IP addresses.  Databases are built and maintained to link the following details to IP addresses:

• Country
• Region 
• City
• Postal code
• Internet Service Provider
• Coordinates (Longitude, Latitude)
• Autonomous system (BGP)

There are many IP location service providers like Maxmind or DB-IP. Some are free, other are paying. How and when IP location can be useful? Usually, to give more visibility to reporting. The map below represented the geographic location of hosts that connected to my honeypots for the last 24 hours:

IP location can be used to enrich your data and improve visibility in security dashboards:

If increasing visibility is a nice feature, why not use IP databases also for defensive purposes? Some security products propose this feature. You can block traffic coming from certain regions:

If this looks very “aggressive”, in some cases, it can be useful if you want to protect online services used only by local people (from your country). If you don’t make business with China, you should not receive connections from Chinese IP addresses. This sounds legit. However, this control may have nasty effects. The IPv4 address space being fully assigned[1], organisations which need more IP addresses are looking to buy some subnets from other organisations which have unused allocations. A new business is born!

One of our readers, based in the US, contacted us about an issue with a /19 subnet they bought from an ISP in another country. They started to allocate IP addresses from this /19 to their customers and some of them were not able to connect to 3rd-party websites. After some investigations, the affected websites used IP location databases to restrict access from “trusted” countries (note the quotes!). Their IP location databases being too old, the IP addresses were still referenced as assigned to their old country and… blocked!

How are those databases updated? The Internet topology is changing daily and IP ranges are (re-)assigned all the time. Most of the GeoIP database providers use whois records to track changes and update their database as fast as possible. Maxmind is transparent about the accuracy of their data[2]. They also propose a form to submit changes. Here is an example of the database accuracy for Belgium:

Even if databases are constantly updated (the update rate may also depend on your subscription - free or paying), it’s the responsibility of the end-user or the security solution provider to implement a process to automatically update databases. It’s possible to check the version using the command line. Here is an example with Linux and the GeoIP tools:

root@so:/# geoiplookup -v 8.8.8.8
GeoIP Country Edition: GEO-106FREE 20170307 Build 1 Copyright (c) 2017 MaxMind
GeoIP City Edition, Rev 1: GEO-533LITE 20151201 Build 1 Copyright (c) 2015 MaxMind Inc All Rights Reserved
GeoIP ASNum Edition: GEO-117 20170306 Build 1 Copyright (c) 2017 MaxMind Inc All Rights Reser
GeoIP Country V6 Edition: GEO-106FREE 20170307 Build 1 Copy
GeoIP ASNum V6 Edition: GEO-117 20170306 Build 1 Copyright (c) 2017 MaxMind Inc All Rights Re
GeoIP City Edition V6, Rev 1: GEO-536LITE 20151201 Build 1 Copyright (c) 2015 MaxMind Inc All Rights Reserved

I checked the new IP addresses of our readers against several online services and all of them reported an accurate location (USA). Conclusion: the blocking service was for sure using an outdated version of an IP location database. The only solution is to contact them to report the problem and ask them to upgrade.

Personally, I won’t recommend blocking traffic based on IP location. Why? The Internet has no border and you never know from where your visitors will reach you. The following Tweet is the best example:

[1] https://blog.apnic.net/wp-content/uploads/2016/01/afig1.jpg
[2] https://www.maxmind.com/en/geoip2-city-database-accuracy

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key