January 29, 2009

Tracking you down by your IP Address

I am a huge fan of crime dramas on TV. Shows like CSI and NCIS are 2 of a short list of things I actually make sure I watch on TV (House MD, is another...but that has nothing to do with this post). But one of my biggest pet peeves when watching these shows is that every single time anyone does anything on a computer that is remotely criminal, the "tech" of the team hops on to their computer and with a few key strokes has tracked down this person using their IP address, and has a map to their house all laid out on their screen in a matter of seconds. So today I wanted to clarify a little on what is and is not possible as far as tracking down people by their IP address.

The first thing we need to talk about are the 2 basic categories of IP addresses. IP addresses are categorized into 2 groups, Public IP addresses, and Private IP addresses. Private IP addresses are essentially a block of possible IP addresses that are used on internal networks (i.e. networks not directly reachable on the Internet) Every computer in your home that is connected to a router or hardware firewall is using a private IP address, as are the vast majority of computers and servers in the work place. Then how are you able to get to the Internet? well, your router (or the router in your work place) has a Public IP address. IP addresses are limited in supply, and because there is a finite number of them, it wouldn't make sense to give every computer one, so routers are designed to take 1 public IP and allow dozens, or even hundreds of computers to use private IP addresses and on the Internet appear as a single public IP through a technology known as NAT. This can be somewhat confusing, so Ill get to the point. If you are being tracked down by your IP, it will be by your public IP address, not your private IP.

Next we need to talk about how IP addresses are assigned to people and companies. Public IPs are assigned both statically (where the same person has the same IP all the time) and dynamically (where the IP changes on a somewhat regular basis). Most businesses use static IP addresses. This means when they sign up for their Internet connection, they are given an IP address and they continue to use that one until their ISP says otherwise. They do this so businesses can set up things like servers or remote connections to their office without trouble, the IP doesn't change, so its basically easier to find them on the Internet. Home Internet connections on the other hand are assigned IP addresses dynamically. This is done because it is much easier to maintain and support that static IP addresses, and because home users don't really have a need for a static IP address.

So now we have a basic understanding of what kinds of IP addresses are available, and how they are assigned. Now for the real question: Can you be tracked by your IP. The answer is YES....BUT, and this is an important but, its not as easy as it looks on TV.

While a business with a Static IP address is actually relatively easy to find using one of many GEO IP databases available for free or paid subscriptions (the paid ones tend to be far more accurate). But even these are frequently wrong if the IP isn't registered properly. So if you did something at work, a person may be able to track your company down pretty quick, but that would be the end of the trace, and in most cases, the address they get is the billing address for the company, which is usually a central office.

Home users (with dynamic addresses) are a whole other story. If you were to track down an IP address that is assigned dynamically, the best you are going to do is get the ISP and MAYBE the city it is coming from (right now my IP is listed as being in Chicago...I'm in Hawaii) so in 30 seconds law enforcement will not be tracking me down by my IP address. BUT they can still track me, and this is how.

  1. The agency trying to tack me would get my IP address
  2. They would see who the registered owner of my IP is (my ISP)
  3. Assuming they have cause, they would go to my ISP and ask who was assigned my IP address on a specific date
  4. The ISP can then reference their logs (and yes, they keep logs and are required to do so by law) see which account was accessing that IP address at a given time
  5. Your ISP now just checks the address listed on your account (and also the name) and hands it over.

No depending on the ISP and their motivation (i.e. who's asking for it) this could take a few minutes (this is a highly optimistic time frame under the assumption that the people looking for you have direct access to the logs and the ISP is highly cooperative) or a few days. (much more likely for most low risk cases like copyright infringement)

The problems with tracking people by their IP:

  1. The most you will get from an IP alone is the registered owner and billing address.
  2. Even if you get to the location, you don't know who was actually on the computer (which is my groups like the RIAA resort to threats at first hoping for a settlement. Gathering the real info needed to accuse a specific person takes a lot more time and energy then sending a canned threat to the registered user of an IP)
  3. Using things like Proxies make this tracking significantly harder, because the IP the person trying to track you sees, is not really the IP you are connected to. A proxy is essentially a middle man in an Internet connection that you router all traffic through to mask your actual IP info. So the address the people see, is the proxies, not the real one being used. To get the real IP, you need to get the logs from the proxy server and see what the real one is. Many proxies used for illegal activity are outside of US jurisdiction, typically in countries who aren't too big on cooperating with us, or are placed unknowingly on random peoples computer via a virus.

So now you now what can and can't be done with an IP address. What you see on TV is based in fact, but like most things on TV, is made to look much cooler and easier than it actually is.

Fun Fact: The IP address that are shown on most TV shows are not valid IP address. Unlike phone numbers (which have a defined block that can be used on TV so that people don't call them and bother others) IP addresses don't have this, so people just make them up. A real IP address looks like this: (this is  one of Google's in case you are wondering) Each Octet (the sections separated by the .) will contain a number ranging from 1 - 255 and that's all, so the next time you see one on TV that looks like this: 413.295.8.004, you know its fake. This is done, so people don't try connecting to the IP address being shown, although, I'm not sure why they just don't use a private IP instead of a fake one.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google