[mohitmun]

How does tools like this work? Is it triangulated by pinging from different location?

[q3k]

This very likely uses whois/IRR entries and some heuristics to make sense of them. Thus, it is more about which ISP an IP address block belongs to rather than who the physical end user is.

    q3k@anathema ~ $ whois 185.236.240.1 | egrep '(address|org-name)'
    org-name:       Stowarzyszenie "Warszawski Hackerspace"
    [...]
    address:        Warszawa

    q3k@anathema ~ $ curl -s https://ip-api.io/json/185.236.240.1 | jq .organisation,.country_name
    "Stowarzyszenie Warszawski Hackerspace"
    "Poland"

However, this generally doesn't work for multinational ISPs that have blocks in different countries. For instance, take this Google IP address that I got when I spun up a VM in their Belgium DC:

    q3k@anathema ~ $ curl -s https://ip-api.io/json/104.155.39.247 | jq .organisation,.country_name
    "Google LLC"
    "United States"

[shanehoban]

From what I understand, which admittedly is not much, I believe it is actually a database lookup service that references sections of; or perhaps the whole IP that has been previously recorded as from country X.

I think countries themselves have ranges of IPs allocated to them, but again, not my area of expertise.

[q3k]

No, countries don't have ranges allocated to them. RIRs (ARIN, RIPE, AFNIC, APNIC) do, and then they distribute those blocks to LIRs (ISPs) in their coverage area. However, now with IPv4 block exhaustion, it's common to port old PI v4 address space across RIRs, or for RIRs to donate blocks to eachother, so there isn't any guarantee about address mapping to continents even.

You can always use `whois` on an IP address from a command line to get all the public records about it that you need. This will have information about the RIR, LIR, and potentially end-user of the block.

[shanehoban]

Ah I see, interesting, thanks!