1

I am working on a non-security related research project where we have a list of anonymized IP addresses with the last 3 digits (the last block) masked. The project is about tracking attention to the publicly available data online. The addresses come in the following form:

12.101.176.jde

130.101.118.fh

The IPs have been collected over several years. I am wondering how much information can be gleaned out of 3 first blocks of the IPs. The state where the IP address is located or the ISP would be great. I’m generally familiar (layman) with the way IPs are assigned, so I know it might be a fool’s errand, but still I thought I would ask.

Giacomo1968
  • 58,727
astrae_research
  • 19

3 Answers3

1

I’m generally familiar (layman) with the way IPs are assigned, so I know it might be a fool’s errand, but still I thought I would ask.

Not a bad question, but only full IP addresses can really reveal much of anything about geolocation. You can fool yourself into believing you can deduce deep meaning from the first three octets of an IP address, but it’s not reliable to say the least.

So using your examples, let’s just add a 1 to the first block (12.101.176) which is 12.101.176.1 and results in these results from the geoiplookup GeoIP tool:

GeoIP Country Edition: US, United States
GeoIP City Edition, Rev 1: US, N/A, N/A, N/A, N/A, 37.750999, -97.821999, 0, 0
GeoIP ASNum Edition: AS7018 AT&T Services, Inc.

And here are the results for 12.101.176.254; the last assignable IP address in a range:

GeoIP Country Edition: US, United States
GeoIP City Edition, Rev 1: US, N/A, N/A, N/A, N/A, 37.750999, -97.821999, 0, 0
GeoIP ASNum Edition: AS7018 AT&T Services, Inc.

Similarly, the 130.101.118 block shows this for 130.101.118.1:

GeoIP Country Edition: US, United States
GeoIP City Edition, Rev 1: US, OH, Ohio, Akron, 44325, 41.076401, -81.510300, 510, 330
GeoIP ASNum Edition: AS20085 The University of Akron

And this for 130.101.118.254:

GeoIP Country Edition: US, United States
GeoIP City Edition, Rev 1: US, OH, Ohio, Akron, 44325, 41.076401, -81.510300, 510, 330
GeoIP ASNum Edition: AS20085 The University of Akron

In this case it seems like both ranges show that everything from x.x.x.1 to x.x.x.254 in a range should have the same info. But honestly, that is not always the case. For example, in the future those AT&T IP addresses could get assigned more specific GeoIP information associated to them. Ditto with those University of Akron examples.

But equally, you just don’t know. Let’s say AT&T or the University of Akron sell their ranges—partially or fully—to something else. Or maybe use the addresses to be a part of a network out of their general locale? Who knows.

Giacomo1968
  • 58,727
0

GeoIP is notoriously unreliable.

GeoIP isn't exactly guesswork, as some data has been obtained using efforts that can, at times, be useful. However, guesswork may have been used as part of the efforts to include some data, even if it is just guessed data, instead of having absolutely no data for some IPs. So, accuracy varies wildly.

Here is one example of why such information can be so vastly off:

I just looked up ARIN's info on 104.140.211/24 and it points to "LinkGrid LLC (LL-333)", and includes a comment that mentions "https://www.linkgrid.com/", and includes an address in of PO BOX 1272 in CHARLOTTESVILLE VA

So that would appear to be in Virginia. However, the referenced website seems to indicate that the data center is in Kirkland, WA. So this one IP block has different information suggesting locations on opposite (West and East) sides of a continent.

So those are current results. Did you want the geographic information provided by ARIN, or by HTTP? With such conflicting information, you can get various information from the unstandardized GeoIP technologies, with varying degrees of accuracy.

TOOGAM
  • 16,486
-1

Add .1 and .254 to the end of the blocks you have, and search any IP database for those IPs, and you will see in general country, and ISP/Institution who owns that block, in some case you might get state, and city.

It is possible in some cases that a single /24 network is divided between several different ISPs and countries, and that you get different results for .1, and .254 addresses.

You can put and ip with .1 on http://ipinfo.io/, and then walk down until you get to the smallest subnet, to see what is publicy available.

http://ipinfo.io/12.101.176.1

http://ipinfo.io/AS7018/12.0.0.0/8-12.101.176.0/22 This just gives you the country.

http://ipinfo.io/130.101.118.1

http://ipinfo.io/AS20085/130.101.0.0/16-130.101.118.0/23 University of Akron, Ohio.

Depending on IPs you might get cases where smallest subnet is over /24, in which case IPs from that range could come from different subnets.

ralz
  • 2,566