paint-brush
A Comprehensive Guide to Geolocation APIs for Cybersecurity Professionalsby@WhoisXMLAPI
2,946 reads
2,946 reads

A Comprehensive Guide to Geolocation APIs for Cybersecurity Professionals

by WhoisXML APISeptember 9th, 2019
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

The ability to know the physical location of a person or network entity based on the information behind its IP address is a key feature that organizations have been leveraging for some time now. Cybersecurity is another sector that can strongly benefit from its capabilities, notably to keep track of cybercriminals’ activities and their whereabouts for better threat detection and prevention. This article takes an in-depth look at the best IP geolocation APIs out there with screenshots for cybersecurity professionals and provides an overview of what these products have to offer.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - A Comprehensive Guide to Geolocation APIs for Cybersecurity Professionals
WhoisXML API HackerNoon profile picture

Geolocation has long been linked to business. In fact, the ability to know the physical location of a person or network entity based on the information behind its IP address is a key feature that organizations have been leveraging for some time now.

Is that really so? You have probably come across a few by-products of this technology whether you noticed it or not in your daily life — e.g., location-aware apps, targeted advertisements, and customized e-commerce content.

However, IP geolocation is not only about online sales and advertising. Cybersecurity is another sector that can strongly benefit from its capabilities, notably to keep track of cybercriminals’ activities and their whereabouts for better threat detection and prevention.

This article takes an in-depth look at the best IP geolocation APIs out there with screenshots for cybersecurity professionals and provides an overview of what these products have to offer. But before getting to that, let’s first review why geolocation is so relevant for running adequate cybersecurity operations nowadays and the important criteria you need to select the right product.

Table of contents:

  • The relevance of IP geolocation for cybersecurity
  • Criteria for choosing an IP geolocation API
  • Understanding the product landscape
  • Provider 1: geoipify.whoisxmlapi.com
  • Provider 2: geo.ipify.org
  • Provider 3: IPInfo.io
  • Provider 4: DB-IP.com
  • Provider 5: IP2Location.com
  • Provider 6: IPData.co
  • Provider 7: IPGeolocation.io
  • Provider 8: Ipapi.com
  • Provider 9: IPStack.com
  • Provider 10: ClearIP.io
  • Provider 11: IPWhois.io
  • Concluding thoughts

The Relevance of IP Geolocation for Cybersecurity

Why would you want to get started with an IP geolocation API? It’s no secret that the current digital landscape is harsh with restless malicious entities and cyberattacks that continually hit businesses, systems, and users. From the hacking of corporate networks and stealing and selling of sensitive information on black markets to data breaches that affect not only the online but also the physical wellbeing of people, attacks continue to grow in scope and put everyone’s activities online at risk.

With the objective of preventing and stopping these harmful acts, several types of cybersecurity professionals — including threat hunters, incident response specialists, penetration testing experts, and cybersecurity analysts — find geolocation handy.

So how can the technology give an edge more specifically? By performing a lookup on a certain IP address, geolocation data can supply experts with crucial indicators to verify dubious entities on the Internet as the information disclosed about a person or organization behind a device includes the city, country, state, time zone, coordinates, and more.

Use cases of IP geolocation in cybersecurity

There are many applications for IP geolocation in cybersecurity today. For instance, geodata can be used in dealing with intruders who have found a way to enter a company’s network. One method of accomplishing this is by cross-examining current geolocation details of suspicious remote users and visitors to unveil irregularities in profile information. If a mismatch has been confirmed and a trespasser is discovered, restrictions can then be implemented to stop further access to sensitive data or applications.

Figuring out the entry point of a cyberattack is something that has always been a challenge in the industry as it is. The good news is that since IP geolocation APIs take into account the coordinates of users, they can be employed to trace back where a threat is coming from and identify its source of action. From there, specialists can decide to apply threat intelligence techniques to map out other entities connected to the target and highlight possibly malicious associates.

Knowing the origins of an act of cybercrime is also important because it gives solid proof to perform further analysis. Once these threats have been verified, professionals can carry out counterattacks to impede and stop them from causing more harm. Additionally, they can use the data from IP geolocation to cross-link verified intrusions with traffic information that can be verified.

Another way that this technology can be employed is in combating online fraud and identity theft which cause staggering financial losses each year and affect millions of individuals worldwide. Indeed, stolen credit card information is among the most common consequences whenever data breaches occur.

IP geolocation can help here as it allows cybersecurity experts to compare suspect IP addresses with past billing details of legitimate customers. Any discrepancy that is revealed at this stage — especially when orders are made from questionable locations — can then be flagged for a more in-depth review.

IP geolocation can also be leveraged to stay protected from spam or suspicious mail. To check whether a message is sent by the real person or not, cybersecurity personnel can perform geo IP searches to gather and analyze all sorts of location-based data on users. This feature enables the geo-blocking of certain IP addresses coming from places that are considered to be high risk. This reduces the probability of dangerous emails reaching the organization, and thus minimizes vulnerabilities.

Criteria for Choosing an IP Geolocation API

“One size fits all” does not exist with this product category. Instead, cybersecurity professionals need to select an IP geolocation API in a wise way as not all the products on the market are equal. There are several aspects which you need to consider among which the ones below:

1. Coverage

First things first, it’s crucial to know what coverage a solution offers to its clients — that is the number of IP addresses under scrutiny and monitored for a given region, country, etc. and the accuracy level. That matters for cybersecurity applications which rely on precision and timeliness for counteracting cybercriminals from different places. Therefore, it’s important to account for the fact that some IP geolocation providers specialize in supplying accurate information for locations in the US while others might do so in Europe or other regions.

2. Compatibility

Most organizations typically plan to integrate an IP geolocation API with their new or existing security systems. This means that specialists need to consider which programming languages are supported, whether the databases are available in different formats, and if standardized responses can be enabled — allowing for streamlined operations and saving precious time while dealing with cybersecurity threats.

3. Reliability

Cybersecurity experts should also know how trustworthy an API might be before committing time and money into it. Some factors to consider in terms of reliability can include response time, how often the software experiences unavailability, and if customer service teams can provide prompt support. Constant and easy access to all services is another crucial aspect to bear in mind as cybersecurity specialists are expected to respond immediately to threat events.

4. Documentation

Lastly, the documentation offered by a provider is another key criterion. These files provide assistance in getting started, teach how to use features, explain how to address issues, and contain other tips and tricks. This material can be presented as user guides, instruction manuals, or FAQs.

Understanding the Product Landscape

As mentioned earlier, not all IP geolocation APIs are from the same breed. Some might focus on providing data variety, whereas others have fewer but more accurate output fields. What’s more, some solutions offer functionality that cybersecurity specialists will find useful while other products may be more suited to other professions and use cases.

For instance, certain cybersecurity tasks don’t necessitate getting details on a target address like a suspect’s ZIP code but require accurate latitude and longitude information. Another example is when experts may not be interested in the timezone of the target but might want to learn about the organization and the ISP behind the IP address to run an investigation.

Aside from that, some providers offer complementary services such as access to a WHOIS database download service or threat intelligence analysis, which, when combined with IP geolocation data, can help strengthen and streamline cybersecurity operations.

With a better understanding of the current product landscape, here is a non-exhaustive list of the major IP geolocation providers for you to check out.

Provider 1: ip-geolocation.whoisxmlapi.com/api

Coverage

WhoisXML API gathers its data from numerous entities which it has legal agreements established with. Among their sources are major ISPs who are already familiar with the IPs they own and allocate and can provide more precise data on corresponding networks and devices if necessary. This process often translates to more comprehensive results and higher IP geolocation accuracy compared with that offered by other platforms and services.

The company claims to cover 99.05% of the IP space today, which includes both IPv4 and IPv6 addresses. Its output includes country, region, city, postal code, latitude and longitude, postal code, timezone, an array of domains associated with an IP, as well as the data on the Autonomous System for IPv4.

In terms of recently-added functionality, the API’s Autonomous System Number (ASN) type feature lets users determine the kind of network an IP address belongs to. In other words, this is a unique identifier, which allows an autonomous system to exchange routing data with other systems. Results that can show up here include digital subscriber line (DSL), content, educational, enterprise, and more.

Other new features such as GeoName ID tagging, meanwhile, assigns a location identifier for any given IP address. The tags are based on the GeoNames database, a repository of geographical data from all countries. This database also has more than 11 million place names available. When performing a lookup, the API automatically queries the GeoNames database for an IP’s unique geographical identifier.

The API also has a built-in associated domains parameter, which allows users to see all of the domains connected to a specific IP address. It does this by identifying all of the known websites that it detects and provides this in a list. This list can be particularly handy in recognizing other domains that are being operated by a particular individual or organization.

With regards to its records, Whois XML API keeps all of these stored in a regularly updated database. More than 8 million IP blocks and locations are available with the service. Additionally, the site provides bulk lookups and download facilities which can be quite helpful, for instance, when a large number of suspicious addresses needs to be reviewed simultaneously at once rather than manually one by one.

Users who are interested in checking out detailed IP geolocation data can sign up for free. Registration lets them check up to 1,000 IP addresses. The API provides the most information on IP addresses in the U.S., France, Germany, the U.K., and Italy. It’s also possible to view the statistics for other countries if users visit the FAQ page.

Compatibility

Assimilating the API with other cybersecurity applications and processes is possible using the programming languages Java, PHP, C#, NodeJS, Javascript, Perl, Ruby, and Python. The ‘Integrations’ page (https://ip-geolocation.whoisxmlapi.com/api/integrations/developer-libraries) on the website highlights various developer libraries with links to Github for more details.

From there, users can choose specific client libraries to learn how to perform IP geolocation lookups using their desired programming language. The page also has a list of code samples that give users an idea of how the API works. Links to the simple-GeoIP packages found on this page can also be downloaded conveniently. However, they must first create an IP geolocation API lookup account before obtaining a package.

All of WHOIS XML API’s datasets follow the same standard, allowing for easier rule creation. This can help amplify geo IP lookups in the database to make identity verification simpler. Important to note, the database can be downloaded in either CSV or JSON formats. These are two of the most common formats in use today, which allows for convenience.

Reliability

The availability of the IP geolocation product can be checked directly on the website under the ‘Resources’ tab by clicking API Status (https://main.whoisxmlapi.com/api-status). In this section, users can check the real-time status of the software along with its response time. A small question mark icon next to its status can be hovered to reveal a brief explanation of issues if any is present. Additionally, it’s possible to contact the support team by leaving a message at the bottom of the page.

Documentation

The site offers a documentation section (https://ip-geolocation.whoisxmlapi.com/api/documentation/making-requests) that explains the input parameters of the product and provides the sample output in both JSON and XML forms. The necessary API keys for making requests and the account balance information can also be found there.

There is also a lengthy user guide on how to operate the bulk processing aspect of the product. Topics discussed here include API usage rules, how to make and create requests, list of possible errors, and more. Users can also study the output parameters in this section, which lists all attributes with their respective definitions.

Moreover, the ‘Integrations’ page contains links to walkthroughs — teaching users how to perform geo IP searches on supported programming languages such as Python and JavaScript. These walkthroughs are well-explained and feature various examples to make them easier to understand. As such, even coders who aren’t familiar with API integration can easily carry out the process.

Provider 2: geo.ipify.org

Coverage

This geolocation product provides a 99.5% coverage of the address space and has more than 15 million IP blocks and locations in its database. The countries for which the company has the highest number of unique locations are the US, France, UK, Germany, and Canada.

Geo.Ipify also enables access to their IP geolocation database which currently covers 8,243,431 IP blocks and locations and contains 4,834,1212 records. The company strives to improve the coverage and the accuracy of the output, which is why they claim that there are hundreds of thousands of records updated and added to the database every month.

Users who don’t know the email address or domain of a target but have an IP address can still obtain geographical details with the tool. They have to input the target’s IP address to receive a host of information on its records. This information includes country, state, coordinates, time zone, city, and postal code.

Additionally, for those customers who would like to check if the data is detailed enough for their needs, Geo.Ipify provides a free subscription plan. Signing up can give users as much as 1,000 queries per month with no financial obligation.

Compatibility

The API supports an assortment of programming languages that includes PHP, C#, NodeJS, Java, PowerShell, Perl, Python, and Ruby. Despite this variety, the datasets are all standardized. This means that programmers won’t have to contend with issues such as misspellings when coding in responses. Users can check code samples under their ‘Code samples’ tab (https://geo.ipify.org/code-samples).

Access to the IP geolocation database can be through both CSV and JSON formats. Additionally, the company provides a database dump which contains about 5M IP range records and is approximately 50 Mb in size.

Interested parties can download sample databases to see what the company offers. Valid credentials are a requirement, however. The databases are found on the My Subscriptions page and available in JSON format. Users can choose to get IPv4 or IPv6 results or both. Keep in mind though that unpacked downloads can be more than 1GB in size.

Those who want to get started can visit the vendor’s Pricing page to view the rates for various IP geolocation offerings. Choices include a one-time purchase or monthly or yearly subscriptions. Several payment options are available as well—credit card, PayPal, Bitcoin, check, or wire transfer. However, users need to contact the company first for instructions.

Reliability

When it comes to client support, Geo.Ipify offers 24-hour customer service to all its clients. Users can contact the team when needed to receive answers to their questions if they get stuck. They can do this by either sending them an email to [email protected] with a response time of a day or less. It’s also possible to just scroll down to the end of each page on the site to find a message box where you can leave your inquiries or concerns. As for uptime, it’s possible to test if the product is operational by doing a lookup directly on the website.

Documentation

Geo.Ipify.org offers a single page for documentation purposes (https://geo.ipify.org/docs). Users can expect to find input parameters, an example of the output format, and the product key there to get started. The company also has a page that’s dedicated to answering the most frequently asked questions from their customers (https://geo.ipify.org/faq).

What’s more, features code samples are accessible in various programming languages and are pretty self-explanatory. Users just need to click the language they are interested in to learn how the API operates.

Considering use cases, Geo.IPify mentions that their product can support digital marketing efforts as it targets customers according to their country, region, or city. They also claim that it can be leveraged to customize users’ websites in real-time, block unauthorized access, and combat cyber attacks.

Provider 3: IPInfo.io

Coverage

IPInfo provides such geolocation details of an IP address as its location, ISP, company, domain, and carrier. They have information on approximately 220 million domain names, including the company each domain is connected with. They claim that their custom datasets are built through the massive amount of data being processed by their software.

Compatibility

IPInfo.io maintains several libraries in popular programming languages including PHP, Python, Perl, Java, and Ruby. They also have libraries for such web frameworks as Django, Laravel, and Rails. The setup and integration of the API’s features are pretty straightforward.

Reliability

Their API is built on Google Cloud with their infrastructure automatically scaling based on customer demand. The company’s sales and support teams can be contacted directly on the website. In addition, all of their data is secured with 256-bit SSL encryption or HTTPS.

Documentation

IPInfo provides extensive documentation for their API. It has an overview of the product’s main parameters along with output examples and guides to its features. Developers can jump right into the official libraries section if they wish to get started right away.

Provider 4: DB-IP.com

Coverage

DB-IP claims to have server infrastructure that spans across several continents. They utilize Anycast routing, which operates by forwarding all user requests to the server closest to them. Almost half of their records are found in the US, followed by India, Italy, the UK, and Germany.

They acquire data across several sources, which include agreements with various ISPs. This has allowed them to access more than 1.5 million unique locations in 200,000 cities around the world. In total, they say they have at least 21 million IPv4 and IPv6 blocks in their databases.

Compatibility

Their API is said to be compatible with third-party services like Geonames. The software employs RESTful semantics, which is officially supported by major development platforms today.

Meanwhile, DB-IP’s database is updated regularly and can be downloaded in either CSV or MMDB formats.

Reliability

DB-IP has an API status page that monitors the operation of its software, content delivery network, and database. This can be used to check whether their services are working or not to avoid confusion. Plus they assert their email support is available for all subscriptions to answer any question or concern.

Documentation

Tutorials to their API’s features are included on the website. Here, users can learn how to import and update databases, filter visitors by country, show visitor locations, and more. The FAQs page answers questions that involve general concerns, downloads for their datasets, and the API.

Provider 5: IP2Location.com

Coverage

IP2Location says it offers an IP search technology that’s not intrusive to privacy when collecting geolocation data. Their REST APIs (Representational State Transfer) supply details on IP lookups, which include the region, city, latitude, longitude, zip code, time zone, and ISP. They also claim that the outputs are obtained from their own database, which has more than 4 billion unique records, supporting both IPv4 and IPv6 addresses.

Compatibility

Regarding the retrieval of IP geolocation data, the provider mentions that its API can integrate with existing software platforms. Its lookups make use of the REST API that supports Java, PHP, .NET, Python, Ruby, and Perl.

Reliability

There isn’t much mentioned on the website when it comes to providing support to customers. However, the ‘Contact’ page contains the company support email for users with concerns.

Documentation

Extensive documentation on their product can be found in the FAQs section. Here, the most common questions regarding its general, technical, and database features are answered. In addition to that, they’ve also prepared tutorials and development libraries that outline tips on how to get started.

Provider 6: IPData.co

Coverage

IPData offers an API that lets people get geolocation details among which continent, country, region, city, coordinates, organization/ISP, and the timezone of IPv4 and IPv6 addresses. It is also capable of identifying the carrier and mobile country code of an entity.

Compatibility

The brand supports Python, PHP, Javascript, Node, Ruby, Go, Java, Swift, and C# libraries at this time, making it quite varied.

Reliability

IPData’s says their infrastructure runs via Amazon and uses the AWS Route53 routing to ensure that latency for requests remains low. There’s a link on the site that redirects users to a page showing the overall status of their API with details like its uptime, response time, and downtime.

Documentation

Complete documentation of the product is available on the website. Incorporated here are the tips to getting started, a carrier detection feature, threat data, and developer libraries. They also have guides on various functions, which include how to block, redirect, and show ads to users based on their country.

Provider 7: IPGeolocation.io

Coverage

The API is said to provide an accuracy of 99% for country-level searches while 70% can be expected on a city level. IPGeolocation openly mentions that their geoIP lookups on mobile networks are not up to par compared to their wired counterparts.

Compatibility

The endpoints for their IPGeolocation API all respond in JSON (default) and XML formats. Regarding their database, they say that open source projects were leveraged as their main sources of data further claiming that they used other databases as a point of reference to verify the accuracy of their approach. However, accessing the company’s database is not possible now, but the company is planning to provide it to the public in the future.

Reliability

A status report link for their API can be found on the website. This page details the uptime, apdex, response time, which includes latency and the total time for lookups. Besides that, IPGeolocation states that they are GDPR compliant and do not collect any information through their servers.

Documentation

As for the documentation, they offer a guide for users on how their product works. It is also possible to find details on how to use their software development kits (SDKs) and other APIs they offer.

Provider 8: Ipapi.com

Coverage

The Ipapi API is a product made and currently being maintained by Apilayer, a software company headquartered in London, United Kingdom. Their API returns IP address data which has been sourced from various providers including commercial, non-commercial, and proprietary entities. They claim that each of these sources is being validated and monitored regularly to ensure quality and consistency. Aside from that, Apilayer also states that their API can return accurate information on more than 2 million unique locations worldwide.

Compatibility

Their REST-based API allows their lookup requests to be made with results returned in either JSON or XML. The company also claims that its service uses highly scalable cloud infrastructure, which is capable of handling thousands of IP address queries or more each month.

Reliability

When it comes to uptime, the API’s status is said to be monitored closely around the clock. The company mentions that they have an average uptime rate of 99.9% as calculated in the last 12 months. There is also a public status page on their website which details the overall uptime, latest downtime, and some quick stats regarding the software.

Documentation

A documentation page for the API provides users with the information on its basic and advanced features together with other options. There are descriptions for individual response objects here to make it simpler for users to understand how each of them works.

Provider 9: IPStack.com

Coverage

The IPStack API covers more than 2 million unique locations in approximately 200,000 cities worldwide. The company claims to have had partnerships with large ISPs for many years, ensuring that they can provide accurate and consistent information. They also say the API is capable of handling 2 to 3 billion API requests on a daily basis with an average response time of 25ms.

Compatibility

IPStack says that their product is scalable with various solutions, providing users with results in either JSON or XML formats. Aside from that, it also supports various programming languages such as PHP (cURL) and JavaScript for lookups.

Reliability

Users can check the current status of the API directly from their website. Here, it’s possible to verify the overall uptime, latest downtime, and other statistics of the product over the past few days. The company behind IPStack also has a technical support team available to assist users in need.

Documentation

Extensive documentation for the API can be found on their website along with a guide to get started on the product’s basic features, endpoints, and other capabilities. Here users can also find sample codes for the programming languages that IPStack can support.

Provider 10: ClearIP.io

Coverage

ClearIP.io is another API that provides IPv4 and IPv6 geolocation data. Though there’s no information regarding the number of unique locations the product currently covers, ClearIP claims to acquire their information from numerous sources. They also say that their database is updated every day.

Compatibility

The API operates using an infrastructure that is powered by Amazon AWS, allowing the product to scale depending on the network demand automatically. The team behind ClearIP has also built their own libraries for popular programming languages such as PHP, Golang, NodeJS, and more. In addition, the company mentions that users are provided with results in JSON.

Reliability

There is no status page available on the website nor a Contact Us section. It is, however, possible to message the company directly from the popup chat window if issues arise.

Documentation

There is a documentation page available for the ClearIP API which provides a walkthrough for customers looking to get their app or website set up correctly. This section outlines how users can make a request together with basic examples of integration with programming languages.

Provider 11: IPWhois.io

Coverage

IPWhois.io claims to develop and maintain a database of geolocation data in real-time. The company guarantees that each API request made by users will get the most accurate location-based information. Furthermore, IPWhois states that they integrate this repository with multiple channels, which include RIPE, APNIC, ARIN, and AFRINIC, among others.

When it comes to response time, one can expect approximately 90 milliseconds in most parts of the world. IPWhois is said to use several powerful servers spread across various continents to achieve this rating.

Compatibility

The company says that its product is easy to integrate with existing applications and systems. It is possible to receive results in the standard JSON and XML along with the Newline format.

Reliability

All of the data that is sent to the IPWhois.io API is secured by 256-bit SSL encryption or also known as HTTPS. Aside from that, the company intended for its servers to be scattered worldwide so it can provide users with speed and security while avoiding a single point of failure.

Documentation

IPWHois.io has its own separate page that outlines a short overview of how their API works. Listed here are descriptions of various fields and values to help users get started. Although there’s not much mentioned on their customer service, there is a FAQ section to answer most inquiries.

Concluding Thoughts

With cybercrime on the rise, organizations have to use everything at their disposal to avoid becoming a victim of hacking, scamming, and fraud. To support that, geolocation is capable of supplying geographical information on IP addresses and can prove a helpful instrument for various cybersecurity specialists to better study threat origination and, therefore, combat malicious actors.

Lookups can reveal details like location, time zone, ASN, organization, and more. That said, I perceive that the products listed in this article are some of the best IP geolocation APIs available for cybersecurity today.

I would personally vouch for https://ip-geolocation.whoisxmlapi.com/api (which I founded) and geo.ipify.org, considering the various criteria mentioned earlier. However, the requirements you have will determine which of these APIs is best suited to your needs.

Disclaimer: The author is the founder of whoisxmlapi.com. If you have any feedback or questions, you can visit his website or reach out at [email protected].