I've wanted to try something like this before, but I was under the impression that providers like MaxMind might use other techniques to figure out the "real" location of a server.
ipinfo.io uses a probe network for this[1], but even then a server physically located in the Netherlands with an IP announced as being from, say, Seychelles would still respond to pings faster from a European location than from somewhere like Singapore (unless you go out of your way to induce latency to ICMP responses).
surprised to see a p3terx blog referene here. His CF WARP scripts were quite popular.
Some background info: in China, all online discourse are required to show the user's provincial-level origin, or country name for non-mainland users, using geoip. this is enforced by the Cyber Admin Commission of CCP.
Hmm, it's a bit dark: China does not have a federal level task force like the FBI or CIA, raids/arrests are executed by provincial or municipal PD. It's called 公安属地原则 thingy
My first thought was "is this legal?", but then had a hard time considering even which jurisdiction this (or using a "fraudulent" IP location) would fall under?
Cloudflare does not have any IPv4 blocks in North Korea. Geolocation databases use RIPE as the primary source and then make estimates using various tools.
This is a great post, I was asking about this for asn location to ChatGPT and it was telling me it wouldn’t help on this request lol.
But thanks to this series I setup an ARIN account, got allocated ipv6 and ipv4 addresses and starting the ASN assignment process. It’s a fun rabbit hole to go into.
Yeah Geo-IP is "fake" when I look at this deeper, idk why people use this as source of truth
also important point when you using Starlink and got totally different "relay" station sometimes can be thousand miles away, I think we need to "upgrade" our internet infrastructure for interplanetary system
It's the best there is and good enough for most business purposes. Regulations may require you not to do business with people in certain countries so you have to do a good faith effort not to provide your services to those people. GeoIP, despite just being an indicator or correlation rather than objective truth, just happens to be that good faith effort.
…and for that matter, the more people game GeoIP like this, the less it’s “good enough.”
The regulatory imperative isn’t going anywhere, even if we degrade our good-enough, handshake-based, AS-operator-trusting system.
If history is any guide, any replacement technology might look a lot more intrusive and a lot more onerous: the first thought that comes to mind is some kind of DRM-style, device-based, attested location surveillance (tied to a government ID? Why not?!) as “proof of location,” and I’m sure the powers that be could come up with “better”…
tl;dr it requires owning your own IP blocks and then lying.
> In reality, the “location” of an IP is inherently fuzzy. For instance, my 2a14:7c0:4d00::/40 block was originally allocated to Israel. But later, I bought parts of this range and announced them via BGP in Germany, the US, and Singapore (see previous article on Anycast networks). Meanwhile, I’m physically located in mainland China. As the owner of this IP block, I can also freely edit the country field in the WHOIS database — and I set it to KP (North Korea).
> Because of this ambiguity, it’s nearly impossible to precisely determine an IP’s location using any single technical method. As a result, almost all geolocation databases accept public/user-submitted correction requests.
I would not be surprised if this practice is technically against most terms of service.
> I would not be surprised if this practice is technically against most terms of service.
It doesn't really matter. RIPE and other RIRs let you put whatever metadata you want for an IP range into the database, and you can serve whatever you want from your own geolocation feed. If the geolocation providers don't like it, it's up to them to stop fetching your data.
quickly skimming the article i couldn't see a specific price for the ipv4 block, but ipv6 is cheap - the article mentions having to pay at least $50 a year + service fees to a "LIR", and you also need a BGP-enabled hosting provider which i imagine will come with similar cost at least (don't quote me on that).
For RIPE (don't know others) the are two ways: you can either sign up as a full member (an ISP) for 1500€/year, which gives you the same rights as any other ISP. You can also request a "provider independent" or PI address block, which comes with some contractual restrictions (you have to use it yourself and you can't act as an ISP), from a member for 50€/year plus their profit margin. Officially you should get one from your actual ISP, but there are a few RIPE members who sell easy access to PI blocks as part of their business model.
> tl;dr it requires owning your own IP blocks and then lying.
If this was the case, and theres tons of financial incentive to do so, wouldnt cloudflare,etc, block not based on the reported 'country' but some fuzzy heuristic that knows what country it comes from? hops?
That might work in big countries like the US, but in western Europe it's basically impossible to tell whether a connexion originates from London, Paris, Brussels or Amsterdam just by hop count or latency.
Even just jitter in router response time is already higher than the difference in latency due to speed of light between those locations. And just France is large enough that a connexion to some IP in France might legitimately travel further or not compared to a connexion to some other country, from basically any vantage point you might be looking from, and might or might not round-trip through Paris, adding potentially up to 1500 km of uncertainty in the path.
Identifying the interchanges the packets go through can help though, but not as much for residential ISPs.
They've got enough points of presence that they ought to be able to narrow most people down to a reasonably small circle just by speed of light - unless they're intentionally increasing their ping or on some terribly congested network or something.
I've wanted to try something like this before, but I was under the impression that providers like MaxMind might use other techniques to figure out the "real" location of a server.
ipinfo.io uses a probe network for this[1], but even then a server physically located in the Netherlands with an IP announced as being from, say, Seychelles would still respond to pings faster from a European location than from somewhere like Singapore (unless you go out of your way to induce latency to ICMP responses).
[1] https://ipinfo.io/blog/probe-network-how-we-make-sure-our-da...
> unless you go out of your way to induce latency to ICMP responses
Might be hard to get the ping response time right from your Seychelles probe if you’re pretending to be in Seychelles but actually in Netherlands
You can add 100ms to all responses to simulate 'user is on the end of a slow ADSL connection'.
That way you can still get the 'right' ping times to all places
Tangentially related https://github.com/blechschmidt/fakeroute :)
surprised to see a p3terx blog referene here. His CF WARP scripts were quite popular.
Some background info: in China, all online discourse are required to show the user's provincial-level origin, or country name for non-mainland users, using geoip. this is enforced by the Cyber Admin Commission of CCP.
I was surprised too, but later learnt the author is also from China, which explained it.
BTW, does his CF WARP scripts still work? I know he no longer updated it, but never really knew if it still works after all these months (years?).
> all online discourse are required to show the user's provincial-level origin
What is the point of such a rule?
I understand why one would want to show that a foreign user is foreign, but what's the point for showing provincial origin?
Internet rules vary in different parts of china.
Some western sites are blocked in some regions but not others.
different provinces have different demographics and therefore slightly different sentiment?
> What is the point of such a rule?
Hmm, it's a bit dark: China does not have a federal level task force like the FBI or CIA, raids/arrests are executed by provincial or municipal PD. It's called 公安属地原则 thingy
My first thought was "is this legal?", but then had a hard time considering even which jurisdiction this (or using a "fraudulent" IP location) would fall under?
This is going to be fun when the moon and Mars have internet.
The real question is where does Cloudflare get North Korean IPv4 blocks to feed into Warp, or Antarctic blocks for that matter.
Cloudflare does not have any IPv4 blocks in North Korea. Geolocation databases use RIPE as the primary source and then make estimates using various tools.
Interestingly, according to RIPE, North Korea has only assigned one IPv4 block (see https://github.com/analogic/ipgeo/blob/master/by-country/KP), whereas Antarctica has none.
Cloudflare is a big player and can get the geoip providers to do basically whatever they want.
This is a great post, I was asking about this for asn location to ChatGPT and it was telling me it wouldn’t help on this request lol.
But thanks to this series I setup an ARIN account, got allocated ipv6 and ipv4 addresses and starting the ASN assignment process. It’s a fun rabbit hole to go into.
> Now test your VPS’s IPv4 geolocation using Cloudflare’s /cdn-cgi/trace endpoint (available on any site behind CF)
Interesting, this really does seem to work on any site behind CF. Are there any other endpoints like this?
The cdn-cgi endpoints are documented here: https://developers.cloudflare.com/fundamentals/reference/cdn...
Cloudflare has a few: https://developers.cloudflare.com/fundamentals/reference/cdn...
Yeah Geo-IP is "fake" when I look at this deeper, idk why people use this as source of truth
also important point when you using Starlink and got totally different "relay" station sometimes can be thousand miles away, I think we need to "upgrade" our internet infrastructure for interplanetary system
It's the best there is and good enough for most business purposes. Regulations may require you not to do business with people in certain countries so you have to do a good faith effort not to provide your services to those people. GeoIP, despite just being an indicator or correlation rather than objective truth, just happens to be that good faith effort.
…and for that matter, the more people game GeoIP like this, the less it’s “good enough.”
The regulatory imperative isn’t going anywhere, even if we degrade our good-enough, handshake-based, AS-operator-trusting system.
If history is any guide, any replacement technology might look a lot more intrusive and a lot more onerous: the first thought that comes to mind is some kind of DRM-style, device-based, attested location surveillance (tied to a government ID? Why not?!) as “proof of location,” and I’m sure the powers that be could come up with “better”…
> any replacement technology might look a lot more intrusive
Unfortunately, I don't think that not gaming GeoIP will change that. It's going there already.
Yes we need more tools to track people
tl;dr it requires owning your own IP blocks and then lying.
> In reality, the “location” of an IP is inherently fuzzy. For instance, my 2a14:7c0:4d00::/40 block was originally allocated to Israel. But later, I bought parts of this range and announced them via BGP in Germany, the US, and Singapore (see previous article on Anycast networks). Meanwhile, I’m physically located in mainland China. As the owner of this IP block, I can also freely edit the country field in the WHOIS database — and I set it to KP (North Korea).
> Because of this ambiguity, it’s nearly impossible to precisely determine an IP’s location using any single technical method. As a result, almost all geolocation databases accept public/user-submitted correction requests.
I would not be surprised if this practice is technically against most terms of service.
> I would not be surprised if this practice is technically against most terms of service.
It doesn't really matter. RIPE and other RIRs let you put whatever metadata you want for an IP range into the database, and you can serve whatever you want from your own geolocation feed. If the geolocation providers don't like it, it's up to them to stop fetching your data.
And here I was hoping someone had a Proxmox node running at McMurdo and was renting out VMs for the novelty factor.
isn't this possible with tech like starlink????
I bet they didnt to buy cooling system /s
Naive question: how do you own an IP block? Can you just buy it somehow?
the linked page has an earlier blog entry talking about that:
https://blog.lyc8503.net/en/post/asn-1-asn-registration/
quickly skimming the article i couldn't see a specific price for the ipv4 block, but ipv6 is cheap - the article mentions having to pay at least $50 a year + service fees to a "LIR", and you also need a BGP-enabled hosting provider which i imagine will come with similar cost at least (don't quote me on that).
For RIPE (don't know others) the are two ways: you can either sign up as a full member (an ISP) for 1500€/year, which gives you the same rights as any other ISP. You can also request a "provider independent" or PI address block, which comes with some contractual restrictions (you have to use it yourself and you can't act as an ISP), from a member for 50€/year plus their profit margin. Officially you should get one from your actual ISP, but there are a few RIPE members who sell easy access to PI blocks as part of their business model.
Whose terms of service? Their upstream? the RIR’s?
IIRC the country code RFC does not specify physical location, nationality of entity, or other.
> tl;dr it requires owning your own IP blocks and then lying.
If this was the case, and theres tons of financial incentive to do so, wouldnt cloudflare,etc, block not based on the reported 'country' but some fuzzy heuristic that knows what country it comes from? hops?
That might work in big countries like the US, but in western Europe it's basically impossible to tell whether a connexion originates from London, Paris, Brussels or Amsterdam just by hop count or latency.
Even just jitter in router response time is already higher than the difference in latency due to speed of light between those locations. And just France is large enough that a connexion to some IP in France might legitimately travel further or not compared to a connexion to some other country, from basically any vantage point you might be looking from, and might or might not round-trip through Paris, adding potentially up to 1500 km of uncertainty in the path.
Identifying the interchanges the packets go through can help though, but not as much for residential ISPs.
They've got enough points of presence that they ought to be able to narrow most people down to a reasonably small circle just by speed of light - unless they're intentionally increasing their ping or on some terribly congested network or something.
The fuzzy heuristic can just be ping speed. Can’t beat the speed of light (yet.)
But cloudflare already is toxic, doable third party cookies - friction nonstop, etc.