Why Geo-IP data can mislead you and what to use instead

Ever wondered where your network traffic is sourcing from or going to? Many network operators today rely on Geo-IP databases to answer these questions. A geo-IP database is a collection of data that links IP addresses to their corresponding geographic locations. Geo-IP databases usually provide information such as country, region, city, ZIP code, latitude, longitude and sometimes more specific details such as ISP name and also the type of connection (either a DSL or Mobile).

There are several Geo-IP databases available such as Maxmind, IP2Location, IPgeolocation, IPinfo, Netacuity etc. There is a significant difference of accuracy of a commercial database compared to a free version since the features and the updates that come with it vary greatly depending on the version type.

IP to location mapping is a continuous, multi-source data enrichment process that leverages a combination of methods and data sources to assign geographic identities to IP address ranges. Some of the sources are as follows:

1. Internet Service Provider (ISP) assignment – ISPs allocate IP addresses to users based on service areas. When an ISP assigns a range of IPs in a specific region, those IPs are mapped to that location in the geolocation database.
2. Public registry records – Regional Internet Registries (RIRs), such as RIPE NCC, APNIC & LACNIC, maintain records of IP address allocations. These records usually identify which ISPs have been assigned specific IP blocks, often including their registered addresses.
3. Network routing & topology –  Physical internet infrastructure and routing information help estimate locations. Data about how networks route traffic (such as trace routes) can tell where an IP is likely hosted.
4. Data mining and user contributions – Some databases leverage information from websites when users voluntarily provide location data e.g. during account registration. This user-input is then associated with their IP addresses for added accuracy.
5. Active geolocation techniques – Pinging an IP from multiple servers worldwide and using the response times to estimate the user’s physical location. This technique is known as multilateration and this improves accuracy to the city or postal code for some addresses.

Geo-IP databases are widely used for web analytics or targeted content/ads. The next time you use a Starbucks W-Fi and get an ad for a store that you just walked past, don’t be surprised. In the telecommunications world, network operators generally use Geo-IP location to optimize and manage their network. Some of the widely known use cases are:

1. Traffic routing & load balancing Geo-IP data helps direct user traffic through the most efficient or regionally relevant routers and infrastructure, reducing latency and improving service quality.
2. Capacity planning Understanding where users are densely concentrated enables ISPs to allocate resources, plan infrastructure upgrades and optimize peerings in regions with high demand.
3. Anomaly detection Rapidly identifying access from unexpected geographies can flag potentially fraudulent account activity or security breaches.
4. DDoS detection & mitigation Geo-IP can filter or block malicious traffic from specific countries or regions reducing spam and DDoS attacks.
5. Regulatory compliance ISPs can enforce region-based policies and also fulfil legal obligations regarding customer data storage and access based on end-users’ location.

Let’s take the first use case – traffic routing – and look at it more closely. Geo-IP databases work reasonably well when identifying where user traffic originates from and are reliable for country-level detection and broad regional insights. However, some operators also use these databases to correlate flow data with the physical location of subnets within their own network to determine where a specific customer’s traffic is coming from. While operators typically already know where their infrastructure and customer allocations are located based on internal records, that information often lives in separate static inventories that aren’t easily integrated into flow analysis tools. As a result, they turn to Geo-IP data to fill that gap. The problem? Although the accuracy is typically high (90-99%) for country level, it drops down significantly to 43%¹ for city level detection. Precision is usually better in large, urbanized areas but considerably worse in small towns or rural regions, and the databases may revert to the nearest major city sometimes missing suburbs or towns. We decided to do a small comparison of our own to run a Berlin IP address lookup on some of these databases to test the accuracy, and the results are striking.

There are many factors contributing to the inaccuracies. Cellular networks and mobile IPs often have much lower localization accuracy compared to broadband or Wi-Fi. Errors of tens or even hundreds of kilometers² are common for mobile users. Secondly, the usage of VPN, proxies, carrier grade NAT and very recently Apple Private Relay further obscures the true location, resulting in greater inaccuracies. From our experience in analyzing data from 25+ networks, we often see the same IP block being used across multiple regions or cities because of the frequent change in network topologies, which results in IP block reassignment. The external databases can become outdated quite quickly and the reliability is questionable unless updates are more frequent. Lastly, the privacy regulations may restrict access to certain information, impacting the completeness or refresh rate of data, especially in strict jurisdictions. This makes it risky to rely on Geo-IP for regional-level insights, especially when misclassification can lead to wrong decisions about peering, routing, or capacity planning.

Specifically for the routing- and capacity-planning usecases, BENOCS Analytics takes a fundamentally different approach than relying on external Geo-IP databases: we use what your network actually sees.

BENOCS collects and cross-correlates data from standardized network protocols, including BGP, Flow, SNMP, IGP, and DNS, directly from the operator’s infrastructure. Leveraging our proprietary data-processing engine, we visualize this information in an intuitive multi-dimensional Sankey diagram, with up to twelve traffic dimensions, including but not limited to Source, Handover, Ingress, Egress, Nexthop, and Destination dimensions.

This visualization allows you to trace the full journey of a packet, from where the traffic is sourcing from (Source AS) to where it terminates (Destination AS) – all grounded in your actual routing and flow data, not approximations.

Flow data is collected at the ingress interface of all internet-facing edge routers. When combined with BGP information, we can infer the forwarding path, including the corresponding egress routers, both of which are displayed within the Sankey’s respective dimensions.

To take it even further, BENOCS enables you to tag and group these routers by city, country, region, or custom groupings, making traffic analysis geographically meaningful and accurate.

This gives you a precise and actionable view of traffic exchange between locations in your network. You’re not relying on a third-party’s guess: you’re seeing real, topologically and geographically grounded data from your own routers. Why settle for outdated or inaccurate geolocation databases when your network already holds the truth? And also, the geo-location of an IP might be very different than the location of your egress-router, which is the last point your network sees this packet.

Geo-IP databases offer a convenient, quick-glance view of where traffic might be coming from, and for many applications, that’s good enough. But when you’re a network operator responsible for making high-stakes decisions about traffic engineering, capacity planning, or routing optimization, “good enough” simply isn’t.

As we’ve seen, Geo-IP data can be outdated, inaccurate at city-level, and increasingly unreliable due to VPNs, mobile networks, and evolving topologies. It’s a blunt tool for what should be a precise task.

At BENOCS, we believe that your network already contains the most reliable source of truth. By analyzing real-time BGP, Flow, and IGP data directly from your own routers, we empower you to see not just where your traffic might be coming from but where it actually enters and exits your infrastructure. With this ground-truth visibility, you gain clarity, confidence, and control over your network’s geographic traffic flows – no guesswork required.

So the next time you’re questioning where your traffic comes from, don’t ask a third-party database. Ask your network. It knows.

References:

1. Should we trust the geolocation databases to geolocate routers- https://blog.apnic.net/2017/11/03/trust-geolocation-databases-geolocate-routers/
2. Location accuracy of commercial IP address Geolocation Databases- https://itc.ktu.lt/index.php/ITC/article/view/14451