How to Catch when Proxies Lie: Verifying the Physical Locations of Network Proxies with Active Geolocation

Internet users worldwide rely on commercial network proxies both to conceal their true location and identity, and to control their apparent location. Their reasons range from mundane to security-critical. Proxy operators offer no proof that their advertised server locations are accurate. IP-to-location databases tend to agree with the advertised locations, but there have been many reports of serious errors in such databases. In this study we estimate the locations of 2269 proxy servers from ping-time measurements to hosts in known locations, combined with AS and network information. These servers are operated by seven proxy services, and, according to the operators, spread over 222 countries and territories. Our measurements show that one-third of them are definitely not located in the advertised countries, and another third might not be. Instead, they are concentrated in countries where server hosting is cheap and reliable (e.g. Czech Republic, Germany, Netherlands, UK, USA). In the process, we address a number of technical challenges with applying active geolocation to proxy servers, which may not be directly pingable, and may restrict the types of packets that can be sent through them, e.g. forbidding traceroute. We also test three geolocation algorithms from previous literature, plus two variations of our own design, at the scale of the whole world

Accurate manipulation of delay-based internet geolocation

Delay-based Internet geolocation techniques are repeatedly positioned as well suited for security-sensitive applications, e.g., location-based access control, and credit-card verification. We present new strategies enabling adversaries to accurately control the forged location. Evaluation showed that using the new strategies, adversaries could misrepre- sent their true locations by over 15000km, and in some cases within 100km of an intended geographic location. This work significantly improves the adversary's control in misrepre- senting its location, directly refuting the appropriateness of current techniques for security-sensitive applications. Wefinally discuss countermeasures to mitigate such strategies