IP Country origin wrong

Hi,

We have a new internet connection since a month, and the external ip adress of that line is not in the correct country.

We have ip 130.255.171.129 and acording to the ripe database it's in the Netherlands and that's correct. Only our branch office Sophos XG says the IP is Italian.

Ripe:

                    % This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '130.255.171.0 - 130.255.171.255'

% Abuse contact for '130.255.171.0 - 130.255.171.255' is 'abuse@artofautomation.net'

inetnum:        130.255.171.0 - 130.255.171.255
netname:        NL-ARTOF4-20210827
country:        NL
org:            ORG-AOAB5-RIPE
admin-c:        AOA30-RIPE
tech-c:         AOA30-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MNT-AOA
created:        2021-08-27T11:15:18Z
last-modified:  2022-11-15T12:07:34Z
source:         RIPE

Sophos XG:



Where does the XG get's it's info and why is this incorrect?

Bart.


Added v19.5 TAG
[edited by: Erick Jan at 6:16 AM (GMT -8) on 30 Nov 2022]
Parents Reply Children
  • Hi  ,

    Thaks for your reply. I will check with them.

    Bart van der Horst


    Sophos XG v18(.5) / v19 Certified Architect
    https://www.bpaz.nl

  • Hi  

    I've got a problem with this. Checked out there website, and it seems to be possible to defeat this system. Say I've blocked Russia to access userportal.

    Someone from Russia can access this site and claim their IP is form, say Paris, now this service will update their database and the Sophos XG will no longer block that IP.

    So this is not waterproof at all.

    I know this site is more accurate in exact location, but I'm not interested in what city or locality, the IP is from, but I do want to know what country.  

    Shouldn't it be fed by the ripe db instead? It's more accurate on provider location.

    Mabey something to think about.

    Bart van der Horst


    Sophos XG v18(.5) / v19 Certified Architect
    https://www.bpaz.nl

  • GEOIP is not a security feature. 

    It never was and it never will be. 

    And actually if you want to workaround this, you will start a VPN client and easily exploit this system. So GEOIP is something to nail down a reporting database. 

    But maxmind as a vendor has some feedback about there data: https://support.maxmind.com/hc/en-us/articles/4407630607131-Geolocation-Accuracy

    Personally i am not a friend of geoip blocking, as i am not seeing the value in it. There are actually 10 ways i can workaround this in one second. So what is the point? Some say: to get the noise of the internet to a minimum: Yeah fair enough, the database is fine for this Purpose. 

    But if an attacker wants to exploit you, they will not use there real IP in any way, they will use masq ips, as this is the most secure way for them. And Maxmind claims to do checks for there data as well. They will not simply move this because of somebody claiming the data was not right. 

    __________________________________________________________________________________________________________________