top | item 46841644

(no title)

lopoc | 1 month ago

Nice work! I presented similar research at DEFCON 31 - 'You Can't Cheat Time: Finding foes and yourself with latency trilateration' https://youtu.be/_iAffzWxexA

though with some key differences that address the limitations mentioned in the thread. The main issue with pure ping-based geolocation is that: IPs are already geolocated in databases (as you note) Routing asymmetries break the distance model Anycast/CDNs make single IPs appear in multiple locations ICMP can be blocked or deprioritized My approach used HTTP(S) latency measurements (not ping) with an ML model (SVR) trained on ~39k datapoints to handle internet routing non-linearity, then performed trilateration via optimization. Accuracy was ~600km for targets behind CloudFront - not precise, but enough to narrow attribution from "anywhere" to "probably Europe" for C2 servers. The real value isn't precision but rather: Detecting sandboxes via physically impossible latency patterns Enabling geo-fenced malware Providing any location signal when traditional IP geolocation fails Talk: https://youtu.be/_iAffzWxexA"

discuss

rixed|29 days ago

FYI, speed of light in fiber is much less than 300Mm/s.

  a simple rule of thumb is that a signal using optical fiber for communication will travel at around 200,000 kilometers per second

-- https://en.wikipedia.org/wiki/Optical_fiber

tylervigen|29 days ago

I suppose if your goal was to not be found, you could "cheat time" by implementing a random delay on all outgoing packets. The second iteration of this would be to spoof latency based on where you want to appear to be, by creating rules for intentional latency based on the source of the ping.

lopoc|28 days ago

yes but you cannot appear nearer than where you actually are!

it's the law!

TLDR latency tell you where someone for sure is not!