Netcraft’s IP Geolocation service allows customers to accurately discover the physical location of internet servers. Unlike other commercial geolocation providers, our service does not rely on WHOIS information. Our service uses latency measurements and geometry alone to calculate geolocation, which means that we have an extremely high degree of confidence in our results.
Example of geolocating an IP address through the IP Geolocation web interface. This IP address is being used by a server in Dallas, TX.
Customers of the IP Geolocation service can perform lookups on IP addresses of their choosing. Lookups can be performed either through our dedicated web interface, shown above, or through an API.
This service is particularly useful to customers researching the infrastructure used by hosting companies. Customers interested in finding the legal jurisdiction of web content may also find the service valuable.
At Netcraft, we often investigate criminal hosting companies, and we have used the geolocation service many times during these investigations. We discussed one such investigation in a recent blog post, in which we identified the data centre in which 8chan is hosted.
Comparison to other commercial geolocation services
To illustrate the difference between our service and others, we have geolocated a small sample of IP addresses using a range of different services, including our own. All of the IP addresses are using incorrect WHOIS country codes. The table below summarises the results:
| IP address | WHOIS Country | Actual Country† | Provider 1 | Provider 2 | Provider 3 | Provider 4 | Provider 5 | Provider 6 | Netcraft |
|---|---|---|---|---|---|---|---|---|---|
| 5.62.61.64 |  North Korea |
 Czech Republic |
check |
check |
check |
times |
check |
times |
check |
| 197.231.221.1 |  Liberia |
 Sweden |
times |
times |
times |
times |
times |
times |
check |
| 165.231.147.103 |  Seychelles |
Sweden |
times  |
times  |
times |
times |
times |
times |
check |
| 199.191.51.17 |  Virgin Islands |
 United States |
times |
times |
times |
times |
times |
times |
check |
| 103.140.242.8 |  Cayman Islands |
 Hong Kong |
times |
times |
times |
check |
times |
check |
check |
| 172.111.131.1 |  Peru |
 Brazil |
times |
times |
times |
times |
times |
times |
check |
| 37.230.177.2 |  Italy |
United States |
check |
check |
check |
times |
check |
times |
check |
| Accuracy | - | - | 2/7 | 2/7 | 2/7 | 1/7 | 2/7 | 1/7 | 7/7 |
As the table shows, many geolocation providers will trust the country code provided on the WHOIS record of the IP address, ignoring the advice of internet registries:
“country:” – This identifies a country using the ISO 3166-2 letter country codes. It has never been specified what this country represents. It could be the location of the head office of a multi-national company or where the server centre is based or the home of the End User. Therefore, it cannot be used in any reliable way to map IP addresses to countries.
Technical details
We use a technique known as multilateration to find the locations in which IP addresses are being used. The satellite navigation and aerospace industries have been using multilateration for some time, but we are not aware of any other commercial IP multilateration service.
Example of performing multilateration using measurement servers in the UK, Italy and Belarus. The red area shows the range of possible locations of the target.
Performing multilateration on a target involves collecting latency measurements to the target from many different measurement servers across the world, converting those latency measurements into maximum distances from each server, and then using this information to exclude areas which the target cannot be within.
We have access to an array of over 11,000 measurement servers across the world through the RIPE Atlas network† , although we usually only need to use a small subset of these. We also run a small number of private measurement servers in a range of geographically diverse locations.
Netcraft regularly geolocates IP addresses hosting cybercrime, and these results are cached. We allow the public access to these results through our Site Report service (for example, here), although we rate-limit this access and limit the accuracy of results.
Limitations
Our multilateration approach relies on collecting latency measurements to targets, which is slower and more expensive than a simple WHOIS lookup. Because of this, we cannot geolocate the entire IP address space ahead of time, so geolocation must be performed on demand (if the result isn’t in our cache). Additionally, the maximum accuracy of our service is dependent on the latency from the nearest measurement server. Residential IP addresses often have too much latency to be geolocated accurately.
