Where Did Korean Original IPs Originate? I’ll Teach You How To Use WHOIS And Routing Information To Locate The City Of Origin Of An IP

1.

Overview: Korean original IP Source and Localization Challenges

1) Korean ISPs such as KT, SK Broadband, and LG U+ allocate a large number of IPv4/IPv6 addresses, with attribution information centralized in APNIC/ARIN/RIR databases.

2) WHOIS/RDAP records provide the assigning organization, contact information, and network range description, often pointing to an operator rather than a specific city.

3) Routing information (traceroute, BGP AS paths) can show the border nodes where traffic enters South Korea, helping to narrow down the city range.

4) Reverse DNS, HTTP headers, and CDN edge points can also provide geographical clues, but there is a risk of being covered by proxies or CDNs.

5) Precision to the city usually requires combining WHOIS, routing latency, IX node location, and Internet exchange point information.

2.

Tools and Processes: WHOIS, RDAP, traceroute, and BGP queries

1) WHOIS / RDAP: Query an IP or IP range to obtain fields such as netname, org, country, etc. (APNIC is the main source).

2) traceroute: Perform multiple traceroutes to the target IP from local or remote nodes, recording the number of hops and latency per hop to determine the first hop into South Korea.

3) BGP routing query: Query the Origin AS and AS path of the target IP using looking glass or RIPEstat.

4) Reverse DNS and HTTP headers: Check the PTR record or access the target service to obtain information about the server room/cabinet.

5) Geographic IP database verification: Use MaxMind and IP2Location for comparison, but be aware of errors and database update delays.

3.

Real cases: Process for identifying the city of origin in a DDoS attack on a VPS originating from South Korea

1) Event: VPS (Public IP: 203.0.113.42 Ubuntu 20.04, 2 vCPU/4GB: Sudden spike in traffic, suspected to be from Korean IP addresses.

2) Example WHOIS query (simplified for demonstration; fields are in actual format for reference):

3) The traceroute results and BGP queries show that the traffic enters the AS at hop 6 (for example: ASXXXXX), and the 7th hop reaches the Seoul data center switching node.

4) By combining reverse DNS and HTTP Server response headers, it was determined that the target IP is located in the data center of an ISP in Seoul.

5) Conclusion: The consistency of multi-source information locates the source to a data center in Seoul, rather than other cities.

4.

Example data table: WHOIS and traceroute key hops (demo)

1) The table below shows example WHOIS fields and traceroute hops for easy comparison.

2) The table is in a demonstration format; for actual WHOIS/RDAP examples, please use the APNIC WHOIS interface to query.

5.

Examples of Server and Protection Configuration (DDoS and CDN Practices)

1) Base server: Ubuntu 20.04, Nginx 1.18, 2vCPU/4GB RAM, public IP: 203.0.113.42 .

2) Example of a simple iptables throttling rule (just an example): iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/min -j ACCEPT.

3) Use ipset to block an abnormally large number of sources: ipset create blacklist hash:net; iptables -I INPUT -m set --match-set blacklist src -j DROP.

4) Deploy a CDN (such as Cloudflare/Alibaba Cloud CDN) as a front end to hide the source IP and handle high traffic, reducing the risk of the VPS being directly exposed.

5) For high-risk services, it is recommended to use professional DDoS protection (hosted scrubbing/black hole routing/for example: Cloudflare Spectrum or ISP cleaning solutions).

6.

Improvement in Positioning Accuracy and Precautions

1) Multi-point measurement: Initiate traceroutes from different regions or cloud nodes to compare latency differences and improve city location accuracy.

2) Note CDN/proxy: CDNs and reverse proxies hide the actual source IP, so analysis must be done in conjunction with origin server logs and WAF records.

3) BGP hijacking or Anycast: Anycast addresses may respond across cities; the operator information shown in WHOIS is more reliable than single-point routing.

4) Partner carriers: Upon confirming illegal activity or ongoing attacks, contact the ISP to which the target IP belongs (the abuse contact in WHOIS) for assistance in gathering evidence.

5) Regular updates: Geographic IP databases and WHOIS information can change; regular verification is required, along with the use of real-time routing data for decision-making.