Introduction
We are providing some examples of where database methods get the location of a host incorrect. Reasons for this are multiple, including
- The database uses the Top Level Domain to identify the country. However some countries such as Tuvalu (.tv) and Djibouti (.dj short for music Disk Jockey) market their TLDs
- To improve performance, especially for regions with poor connectivity, there may be a proxy in another country.
- To improve performance for very popular sites they often have hosts with the same name distributed across the world.
- Internet routers are often identified as located at the corporate headquarters. This can lead to invalid visual traceroutes, see for example the VTrace gallery
- A host may move as the owning company moves from one site to another.
- As IPv4 addresses run out some companies are registering their IP addresses in regions/countries taht still have IPv4 address space. The adoption of foreign IP addresses gives some breathing room, but there are also drawbacks. It will become more difficult to use geolocation services that rely on IP addresses. Geolocation and ad revenue are such a powerful driving forces that they may help speed up the implementation of IPv6, Eriksson said. See http://www.networkworld.com/article/2363543/ipv6/need-to-move-to-ipv6-highlighted-as-microsoft-runs-out-of-us-address-space.html?source=NWWNLE_nlt_daily_pm_2014-06-13#tk.rss_all
Incorrect result I
traceroute to 193.220.46.70 (193.220.46.70), 30 hops max, 38 byte packets 1 rtr-servcore1-nethub (134.79.19.4) 0.648 ms 0.228 ms 0.472 ms 2 rtr-core2-p2p-servcore1 (134.79.252.162) 0.342 ms 0.256 ms 0.271 ms 3 rtr-border1-p2p-core2 (134.79.252.137) 0.497 ms 0.926 ms 0.301 ms 4 192.68.191.245 (192.68.191.245) 0.562 ms 0.363 ms 0.481 ms 5 sunnsdn2-slacmr1.es.net (134.55.217.2) 0.619 ms 0.714 ms 0.748 ms 6 sunncr1-sunnsdn2.es.net (134.55.209.98) 1.023 ms 0.788 ms 0.931 ms MPLS Label=136016 CoS=0 TTL=1 S=1 7 paixpart2-sunncr1.es.net (134.55.218.133) 1.432 ms 1.409 ms 1.292 ms 8 unknown.Level3.net (209.245.146.145) 1.166 ms 1.217 ms 1.075 ms 9 so-2-1-0.bbr1.SanJose1.Level3.net (4.68.114.153) 3.574 ms 3.049 ms 3.790 ms 10 ae-1-0.bbr2.Dusseldorf1.Level3.net (212.187.128.21) 165.467 ms 165.667 ms 165.440 ms 11 so-3-0-0.mp1.Berlin1.Level3.net (4.68.128.42) 176.505 ms 224.081 ms 177.365 ms 12 ae-31-53.ebr1.Berlin1.Level3.net (4.68.108.94) 177.440 ms 190.223 ms 180.747 ms 13 ae-2-7.bar1.Stockholm1.Level3.net (4.69.140.201) 194.848 ms 194.563 ms 194.597 ms 14 VIZADA-NETW.bar1.Stockholm1.Level3.net (213.242.69.34) 203.616 ms 203.061 ms 203.522 ms 15 NO-NIT-TN-6.taide.net (193.219.193.136) 204.151 ms 204.134 ms 204.159 ms 16 193.220.46.65 (193.220.46.65) 740.045 ms 738.744 ms 739.817 ms 17 193.220.46.78 (193.220.46.78) 739.863 ms 739.441 ms 739.970 ms 18 193.220.46.70 (193.220.46.70) 741.354 ms 738.494 ms 739.066 ms
With reference to the traceroute above the node so-3-0-0.mp1.Berlin1.Level3.net (4.68.128.42) is in Germany, Europe considering the Round Trip Times (RTT) from the following monitoring nodes:
From | RTT |
|---|---|
Stuttgart, Germany | 14 ms |
Karlsruhe, Germany | 20 ms |
However, Geoiptool suggests that the node is in US, Kansas. IP2Location suggests that its in Washington, DC.
TULIP suggest that it is somewhere in Europe: (though it locates in Norway my hunch is that its somewhere closer to the intersection of the 4 circles)
Incorrect result II
Similarly the node ae-1-0.bbr2.Dusseldorf1.Level3.net (212.187.128.21) is in Germany considering the following RTTs:
From | RTT |
|---|---|
Karlsruhe, Germany | 8 ms |
Stuttgart, Germany | 13 ms |
Zurich, Switzerland | 13 ms |
Warrington, UK | 13 ms |
London, UK | 14 ms |
Where as IP2Location suggests that its in UK and so does Geoiptool.
TULIP suggests that the router is in Netherlands which seems to more accurate:
Here are the RTTs from TULIP: (Netherlands RTT 3ms)
Incorrect Result III
dsas3.ctio.noao.edu (139.229.17.44) is in La Serena Chile. GeoTool indicates it is in Tucson near the university. There are other hosts with the same domain name such as dsan3.ctio.noao.edu that are located in Tuscon. Unfortunately these hosts do not respond to pings. The traceroute indicates that the host is a long way away (> 300ms) from SLAC and probably in S. America (ampath is the connection point in Florida to S. America):
37cottrell@pinger:~>traceroute dsas3.ctio.noao.edu 140
traceroute to dsas3.ctio.noao.edu (139.229.17.44), 30 hops max, 140 byte packets
1 rtr-iepm-test (134.79.243.1) 0.326 ms 0.252 ms 0.244 ms
2 rtr-core1-p2p-iepm (134.79.252.5) 0.287 ms 0.232 ms 0.219 ms
3 rtr-core1-p2p-core1old (134.79.252.182) 0.321 ms 0.274 ms 0.268 ms
4 rtr-border1-p2p-core1 (134.79.252.133) 0.428 ms 0.324 ms 0.312 ms
5 slac-mr2-p2p-rtr-border1 (192.68.191.245) 0.260 ms 0.228 ms 0.224 ms
6 sunnsdn2-ip-slacmr2.es.net (134.55.217.2) 0.874 ms 0.862 ms 0.859 ms
MPLS Label=306784 CoS=6 TTL=1 S=0
7 sunncr1-sunnsdn2.es.net (134.55.209.98) 0.960 ms 0.932 ms 0.937 ms
MPLS Label=326496 CoS=6 TTL=1 S=0
8 denvcr1-sunncr1.es.net (134.55.220.49) 27.943 ms 27.934 ms 56.111 ms
MPLS Label=306272 CoS=6 TTL=1 S=0
9 kanscr1-ip-denvcr1.es.net (134.55.209.46) 41.012 ms 41.024 ms 40.991 ms
MPLS Label=307728 CoS=6 TTL=1 S=0
10 chiccr1-ip-kanscr1.es.net (134.55.221.58) 51.640 ms 51.666 ms 51.631 ms
MPLS Label=337056 CoS=6 TTL=1 S=0
11 clevcr1-ip-chiccr1.es.net (134.55.217.53) 60.633 ms 60.601 ms 60.610 ms
MPLS Label=301856 CoS=6 TTL=1 S=0
12 washcr1-ip-clevcr1.es.net (134.55.222.58) 68.134 ms 68.175 ms 68.105 ms
13 ampath-max.es.net (198.124.194.6) 88.318 ms 88.364 ms 88.375 ms
14 aura.ampath.net (198.32.252.218) 325.346 ms 325.963 ms 325.492 ms
15 139.229.127.249 (139.229.127.249) 326.392 ms 326.598 ms 326.655 ms
16 * * *
17 * * *
Incorrect result IV
Traceroute from SLAC to DESY (mms1.desy.de) using mtr.
46cottrell@pinger:~>sudo mtr -r -c 100 mms1.desy.de HOST LOSS RCVD SENT BEST AVG WORST rtr-servcore1-serv01-iepm.slac.stanford.edu 0% 100 100 0.32 0.67 1.41 rtr-core1-p2p-servcore1.slac.stanford.edu 0% 100 100 0.31 0.61 1.14 rtr-border1-p2p-core1.slac.stanford.edu 0% 100 100 0.42 3.66 89.68 slac-mr2-p2p-rtr-border1.slac.stanford.edu 0% 100 100 0.29 3.46 43.24 sunnsdn2-ip-slacmr2.es.net 0% 100 100 0.69 4.28 63.48 sunncr1-sunnsdn2.es.net 0% 100 100 0.76 0.98 1.50 elpacr1-ip-sunncr1.es.net 0% 100 100 25.57 28.03 51.02 houscr1-ip-elpacr1.es.net 0% 100 100 40.47 41.79 71.40 atlacr1-ip-houscr1.es.net 0% 100 100 63.91 64.12 64.51 washcr1-atlacr1.es.net 0% 100 100 77.41 78.02 111.31 esnet-wash.rt1.fra.de.geant2.net 0% 100 100 170.44 170.87 187.50 ??? 100% 0 100 0.00 0.00 0.00 zr-pot1-te0-0-0-4.x-win.dfn.de 0% 100 100 184.23 184.76 194.12 xr-tub1-vlan500.x-win.dfn.de 0% 100 100 185.11 187.46 243.94 xr-des1-te1-1.x-win.dfn.de 0% 100 100 189.55 191.71 272.54 kr-desy.x-win.dfn.de 0% 100 100 190.41 196.04 509.16 ??? 100% 0 100 0.00 0.00 0.00 rt-198-5.desy.de 1% 99 100 189.81 190.66 215.42 mms1.desy.de 1% 99 100 189.52 194.19 218.15
The traceroute is as expected till Washington to Frankfurt (esnet-wash.rt1.fra.de.geant2.net). There's an increase of approx. 100ms since it crosses the Atlantic. The actual path within Germany is Frankfurt, Potsdam, Tubingen, Hamburg. Therefore Frankfurt to Potsdam is as expected. However things become strange at this point. From Potsdam (zr-pot1-te0-0-0-4.x-win.dfn.de) to Tubingen (xr-tub1-vlan500.x-win.dfn.de) it takes under 3ms on average. This seems highly unlikely since Potsdam is way up north of Germany and is about 650km away from Tubingen.
Moreover the traceroute shows that a packet takes more of a circuitous route to DESY (near Hamburg) from Frankfurt. We found more details on the route by looking at the WIN.DFN OWAMP map which shows which nodes are connected to which. The following table summarizes this indirect route.
From | To | Direction | Approx. Distance in km | Approx. Average RTT in ms | GeoIPTool | IPLocationTools | |
|---|---|---|---|---|---|---|---|
Frankfurt (esnet-wash.rt1.fra.de.geant2.net) | Potsdam (zr-pot1-te0-0-0-4.x-win.dfn.de) | Potsdam is near Berlin NE of Frankfurt | 525km | 14ms | 30km SE Bonn, 50.55N, 7.4E | 30km SE Bonn, 50.55N, 7.4E | Berlin, 52.31N, 13.24E |
Potsdam (zr-pot1-te0-0-0-4.x-win.dfn.de) | Tubingen (xr-tub1-vlan500.x-win.dfn.de) | Tubingen is SW of Potsdam | 650km | ?3ms | 30km SE Bonn, 50.55N, 7.4E | 30km SE Bonn, 50.55N, 7.4E | Jena, 50.55N, 11.34E |
Tubingen (xr-tub1-vlan500.x-win.dfn.de) | Hamburg (xr-des1-te1-1.x-win.dfn.de) | Hamburg is N of Tubingen | 727km | 4ms | 30km SE Bonn, 50.55N, 7.4E | 30km SE Bonn, 50.55N, 7.4E | Jena, 50.55N, 11.34E |
Hamburg (xr-des1-te1-1.x-win.dfn.de) | Bremen (kr-desy.x-win.dfn.de) | Bremen is SW of Hamburg | 124km | 5ms | 30km SE Bonn, 50.55N, 7.4E | 30km SE Bonn, 50.55N, 7.4E | Berlin, 52.31N, 13.24E |
Bremen (kr-desy.x-win.dfn.de) | DESY, Hamburg (rt-198-5.desy.de) | DESY, Hamburg is NE of Bremen | 118km | 1ms | Hamburg, 53.7333N, 9.9E | Hamburg, 53.55N, 10E | Hamburg, 53.32N, 10E |
DESY, Hamburg (rt-198-5.desy.de) | DESY (mms1.desy.de) | DESY is near Hamburg | 8km | 4ms | Hamburg, 53.55N, 10E | Hamburg, 53.55N, 10E | Hamburg, 53.32N, 10E |
The map below shows the paths on a map. Note Garsching is located close to Munich, and Tubingen is close to Reutlingen. The route from Frankfurt to DESY is shown in red, and from Frankfurt to Garsching is in blue.
This observation also points out that RTT based geolocation techniques cannot be relied upon in case of such circuitous routes.
Malaysian Hosts
Looking at the Directivity for Malaysian hosts monitored from Malaysian host we see several with Directivity > 1.
Looking at www-wanmon.slac.stanford.edu/cgi-wrap/table.pl?from=Malaysia&to=Malaysia&file=alpha&date=2013-03
It is seen that for Mar 2013 the Directivity is > 1 (it is 2.17)
Clicking on the 2.17 we see in http://www-wanmon.slac.stanford.edu/cgi-wrap/pingtable.pl?by=by-node&file=alpha&from=MY.UM.PINGER&to=MY.AIU.EDU.MY that this is true for each month Feb thru April 2013.
Looking in pingtable.pl at the last 120 days from UM to Malaysia we see this is true for each day measured (the URL is http://www-wanmon.slac.stanford.edu/cgi-wrap/pingtable.pl?file=alpha&by=by-node&size=100&tick=last120days&from=MY.UM.PINGER&to=Malaysia&ex=none&only=all&dataset=hep&percentage=any)
Looking in pingtable.pl at last 120 days for minimum RTT for UM to Malaysia we see the min RTT to be consistent at ~ 1.2ms.
Clicking on the ?r for UM to AIU we get the lat-longs of the two sites:
NODENAME: pinger.fsktm.um.edu.my
IPADDRESS: 202.185.107.238
SITENAME: fsktm.um.edu.my
NICKNAME: MY.UM.PINGER
FULLNAME: University of Malaya
LOCATION: Kuala Lumpur
COUNTRY: Malaysia
CONTINENT: S.E. Asia
LATANDLONG: 3.1601 101.6910
NODENAME: www.aiu.edu.my
IPADDRESS: 110.4.45.135
SITENAME: aiu.edu.my
NICKNAME: MY.AIU.EDU.MY
FULLNAME: Albukhary International University
LOCATION: Albukhary International University, Alor Setar, Kedah
COUNTRY: Malaysia
CONTINENT: S.E. Asia
LATANDLONG: 6.1356 100.3905
Using the Google map tool (with Chrome or Firefox) http://www-wanmon.slac.stanford.edu/wan-mon/viper/pinger-coverage-gmap.html we see Alor Setar is in the N. of Malaysia.
Using http://www.distance-calculator.co.uk/world-distances-kuala_lumpur-to-alor_setar.htm we see the distance between KL and is 358.1 km.
The limit of maximum distance using the speed of life in fibre gives distance=alpha*min_RTT*100km (with alpha =1) or ~ 120km.
Thus I come to the conclusion that the host www.aiu.edu.my is not in Alor Setar. I will Disable this host in our database.
www.mib.edu.my
This host is for the Malaysian Institute of Baking. According to the database it is at 3.0997 101.6451. However, www.mib.edu.my is using an external hosting company in Malaysia (Exabytes) and they (Exabytes) seems to have server in two different location, one in Penang and another in KL. Not really sure which server the website is located. We found that the directivity from UM was >2.
dns.edu.cn
According to NODEDETAILS this is a China Education and Research Network host (CERN) in Beijing. When one looks up China Education and Research Network on Google maps it says it is in Guangzhou, ~ 4300km from Beijing. When one pings the host from v-www.ihep.ac.cn in Beijing the RTT is 1.1km. Thus it is within 101 km (taking a direct path with the speed of light in a fibre).
Haiti
Trying to find hosts to monitor in Haiti we went to Wikipedia Education in Hawaii. This gave is 4 universities:
- Université Caraïbe (CUC)
- Université d'État d'Haïti (UEH)
- Université Notre Dame d'Haïti (UNDH)
- Université Adventiste d'Haïti (Haitian Adventist University)
Looking at the TULIP and the Maxmind/GeoIpTool results below, it is seen none are in Haiti not withstanding their top level domain of .ht.
| Universite Caraibe | Universite D'Etat d'Haiti | Universite Notre Dame d'Haiti | Universite Adventiste d'Haiti |
 |  |  |  |
- Universite Caraibe: GeoIPTool locates the University in California. However TULIP locates it in Pennsylvania with an uncertainty area that does not include California. It si also interesting that the TULIP uncertainty area is broken into 3 pieces.
- Universite d'Etat d'Haiti: Both TULIP and GeoIPTool locate it in Texas, I tend to believe the GeoIPTool result.
- Universite Notre Dame d'Haiti: GeoIPTool locates the university in France while TULIP locates it near Austin Texas with some degree of certainty.
- Universite Adventiste d'Haiti: both GeoIPTool and TULIP locate the university in Utah. The GeoIPTool location of Salt lake City is probably the more accurate.
www.lbl.gov
From its name one would expect this web server to be at LBNL in Berkeley California. However TULIP locates it in Dallas.
| US view of locations for www.lbl.gov | Detail of location for www.lbl.gov |
|---|---|
 |  |
Traceroutes
| From SLAC to www.lbl.gov | 9th hop location | Location of 9th hop seen from LBL |
|---|---|---|
 |  | |
| Traceroute | Traceroute from LBL | Traceroute from Dallas , i.e. host is <404km from Dallas. |
 |  | Executing exec(traceroute -m 30 -q 3 173.192.18.140 140) traceroute to 173.192.18.140 (173.192.18.140), 30 hops max, 140 byte packets 7 * * * 13 ae19.bbr01.eq01.dal03.networklayer.com (173.192.18.140) 4.039 ms * * traceroute -m 30 -q 3 173.192.18.140 140 took 11secs. Total time=11secs. |