1. 21
  1. 4

    Network devices can fake long ping responses but they can’t fake short ones. If an IPv4 address block has WHOIS information stating they’re located in the US but servers in Dubai, Mumbai and Istanbul have pings times of less than 30ms, it is unlikely those addresses are being used in the US.

    I’m assuming you tried to control for IP anycast here? What was your methodology to do that?

    1. 4

      Yep - anycast is really easy to detect with our probe network! If we get ping times from multiple different locations that suggest faster-than-light travel then the IP must be anycast (ie. exist in more than a single location).

    2. 4

      In addition to anycast mentioned by @owen I wonder if this implementation is relying on well behaved ICMP packets (i.e. where the responder doesn’t change the timestamp).

      1. 4

        We’re currently pinging from over 90 nodes, and we do some statistical filtering and cleanup of the data before passing the data to our multilateration pipeline to determine the location. We’re fairly tolerant of noise in the data, but I don’t think we’re hardened against an active adversary at this stage.