Reliable GeoIP database

Scott_Q · February 3, 2025, 11:17am

What are you guys using as a reliable GeoIP database ? I’ve tried Maxmind and a few others, also checking against ARIN but there’s tons of differences.

For example: 1.2.9.0/24 . ARIN says it belongs to China Telecom but others say it’s part of Russia: https://ipregistry.co/1.2.9.0

How to handle such cases ?

Thanks!
Scott

Siyuan_Miao1 · February 3, 2025, 12:04pm

IPInfo would be a solid choice, but MaxMind is also reliable in most cases. However, some IP databases often provide inaccurate results, and I would recommend avoiding IPStack.

ARIN WHOIS is updated by the IP owner or user and can often be outdated or inaccurate, as many operators do not update it frequently.

Niels_Bakker · February 3, 2025, 12:18pm

* qmail@top-consulting.net (Scott Q.) [Mon 03 Feb 2025, 12:18 CET]:

What are you guys using as a reliable GeoIP database ? I've tried Maxmind and a few others, also checking against ARIN but there's tons of differences.

For example: 1.2.9.0/24 . ARIN says it belongs to China Telecom but others say it's part of Russia: 1.2.9.0 IP Address Details | Ipregistry

How to handle such cases ?

That IP space presently isn't getting announced: IRR explorer so it's anyone's guess as to where it's in use, if at all.

-- Niels.

Serhii · February 3, 2025, 11:54am

databases

As for 1.2.9.0, it is not present in the DFZ, so I doubt you will find
any correct GeoIP data for it anywhere.

Dmitriy_A · February 3, 2025, 12:23pm

We’ve been dealing with geoip issues for quite a while and this is what we came up with, maybe it would be useful for you https://github.com/jsdelivr/globalping/blob/master/docs/geoip.md

But we’re also in progress of updating the logic to include latency as an additional parameter.

Dan_Snyder · February 3, 2025, 5:34pm

I don’t feel like there is any reliable GeoIP database. The protocol wasn’t designed for this and thus there is a lot of false information presented about where IP addresses are located.

Alex_Buie3 · February 3, 2025, 5:57pm

This is factual. I spend a significant amount of effort ensuring geoip is accurate for our customers and the proliferation of vendors makes this very annoying and time consuming when we are onboarding a new block. RFC9632 at least makes this easier - I definitely recommend doing so if you are not.

joelesler · February 3, 2025, 6:14pm

100%. We have certain things we do here at ThreatSTOP that isolate some locations based on the upstream provider because all of the GeoIP databases are wrong.

If we collectively understand that GeoIP is “best guess” or “best attempt” and not gospel, we’d all be better off.

jlewis · February 3, 2025, 6:41pm

The trouble with all the IP Geo providers is they're selling data based on:

1) Assumptions
2) Unmaintained data
3) Stale data

RIR records are notorious for being unmaintained (by the member...I'm not blaming ARIN/RIPE/etc.). Same goes for rDNS...again, because the owner of the space doesn't care enough to keep it up to date...because it's not generally of operational importance to them.

Some networks will publish geofeeds, but getting all the IP Geo providers to consume those is like herding invisible cats.

And don't get me started on end-users who consume data from an IP Geo provider and "set and forget" it...ending up with years old data, based on which they deny network or website access.

Brandon_Zhi · February 5, 2025, 5:25pm

Sometimes it just because they have to announce to another region without changing IRR.

They are a lot of geolocation database, but only ipip and ipinfo can correct the geolocation based on BGP routing information.

I’m assuming ipinfo is doing some scan, if the subnet have too many open 22 or 443 they would category as hosting.

And maybe they have a node in different regions, and they use icmp to detect the location.

But I think it is based on the BGP route mostly.