Tracking a troll…..

Posted: September 26, 2012 in news, Uncategorized
Tags: , , , , , , ,

Like many people I have read Leo Traynors latest blogpost in which he tells about how online trolling lead to actual death threats made against him and his family IRL (In Real Life) as well as shocking and insulting artefacts being left on his doorstep. It makes for frightening reading and fits right in to the ongoing debate about trolling. The story has gone viral and is picked up by the international media. What’s more it has generated a spin-off debate on the method used by Leo to locate the troll in question. He did this be having a friend use the IP addresses associated with offensive comments on his blog and tracing these IP addresses. A lot of ignorant comments are being made how this would not be possible without access to ISP records which can only be accessed with a warrant.

This is far from true.

An IP address, for those unfamiliar with it, is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing. This means that every device contacted to the Internet, and hence used to troll people, has an assigned IP address. It used to be that almost all IP address assigned by IPS’s were done so on a dynamic basis. This meant that a user was assigned a new IP address every time they connected to the Internet. This was done because an ISP’s network assets could not handle all users at the same time so they had to rotate IP addressed between users. However ISP’s have increased their assets and most people have been assigned semi-permanent IP addressed by their provider. This means that in the majority of cases an IP address will point to an individual or a specific location. This information is used in lots of ways by popular web services. Take for instance Foursquare, this geo-location service will determine your location even if you use it on a  device without built-in GPS. It does simply by using your IP address and related information. Some websites also use your IP address to provide you with location specific information. Just think of the various online shops such as Amazon who determine your location solely by your IP address. But your IP address can be used to find out a lot more detailed information about you.

Let me explain by using an example; It is very easy to retrieve IP addresses. Every comment left on a blog is tagged with the originating IP address. This can only be seen by the blog administrator. See the below image for an example.

The above image shows you a number of comments on my blog, there is a range of information but for now we’re only going to take the IP address. Once you have this you can go to one of the many online IP tracker services such as “IPTrackerOnline.com”, type in the IP address in question and hit ENTER. Within seconds you will have a wealth of information. It will show you the users Internet Provider, a fairly exact location, the map coordinates and a satellite view of their location. Plug the location into Google Streetview and it will give you the actual address. You can then put the address into Google to find out more details. (NOTE: this does not work in all cases but even a general location is a piece in the puzzle when tracking a troll).

The above method will give you a fairly specific address or a “general area” of the person harassing you. Of course it is not foolproof and can be circumvented but as Leo Traynor’s example showed not everyone is devious enough to do so. In fact the majority of Internet trolls are either too stupid or arrogant to completely hide their identity or location. Another method is looking for IP addresses connected with discussion forum postings. A lot of forums will include the posters IP address in their message so with a bit of luck you will be able to find out more about the trolls online habits. In the past I have come across people posting trolling/harassment spam from the same IP address that they used when engaging in professional discussions online.

Every bit if information gathered using the above method can then be cross-referenced with other databases leading to a wealth of information and quite often a very detailed profile of someone including personal & professional information as well as relevant locations.

So by taking this simple set of numbers which follows people online like a trail of breadcrumbs you can not only find out their location but you can also trace their name as well as find a lot of personal details. Enough to give you some tools to work with when trying to shut a troll up. And all of this is public information that can be legally obtained and which does *not* require any warrants.

Note: I am not an IT security professional, blackhat hacker or anything like that. I do however have about 17 years of IT/networking experience and have on quite a few occasions helped people track down someone who was harassing them or someone close to them online.  The above method is not 100% watertight but it works in most cases and is perfectly legal.

UPDATE: In response to numerous request received I have put up a guide to “Safer Surfing”.

Enhanced by Zemanta
About these ads
Comments
  1. Bríd says:

    I’ve just put my IP address into IPTrackerOnline.com and it tells me I’m beside Ballynahinch. It offers me a satellite picture of a bunch of trees. I’m not surprised. I’m in north Co. Dublin. These things are notoriously unreliable. Most of the time, when I was with Vodafone, IP Trackers put me in Limerick.

    “Accuracy rates on deriving a city from an IP address fluctuate between 50 and 80 percent, according to DNS Stuff, a Massachusetts-based DNS and networking tools firm.”

    http://whatismyipaddress.com/geolocation-accuracy

    • My IP address says I’m in the middle of the Atlantic Ocean. As I’m in Portland, Oregon, I think this isn’t as useful as it first appears.

      • evertb says:

        Theodore, It actually doesn’t as it locates your IP address in Portland Oregon. A 2 minute Google session shows me that you possible live in Silverton or Beaverton, and your phone number possible starts with 503-873, 503-882, 503-643 or 503-318.
        You work (or have worked) for the Oregon Institute of Technology in an software related role.

        Am I warm yet?

  2. evertb says:

    Brid,

    I noticed that you’re using a mobile broadband connection. These are indeed very unreliable when tracing. However in the majority of cases a combination of IP-tracing via databases, Google-ing and cross referencing will provide a rather accurate picture.
    But, as I said in the post, nothing is 100% accurate.
    I also didn’t go into detail on other technologies which are more accurate…

    • I think the key here is that a troll leaves MANY posts, and the information accumulates over time.

      For instance, if the troll MAINLY uses mobile broadband (with a vague physical location), but SOMETIMES uses a fixed IP address, the combination reveals information.

      Firstly, the mobile broadband range reveals the service provider, and broad geographic location.

      Secondly, the fixed IP address gives more specific location info.

      Thirdly, the frequency of mobile and fixed reveals a pattern. As soon as there is enough data, it becomes obvious whether or not ALL of the data originates with one person. Add this to signature tics that all online types have, and you can easily narrow things down. Some people use commas and apostrophes incorrectly, for example. And they ALWAYS make the same signature mistakes. Some use quirky punctuation.

      Fourthly, this data isn’t about making a bullet-proof positive identification. There are other tools for that. This is about investigating, ‘chasing back the cat’, getting a grip on who it MIGHT be.

  3. Dia Positief says:

    Reblogged this on Onder Zeeniveau and commented:
    Read an article about Leo Traynor –

  4. Bríd says:

    “I noticed that you’re using a mobile broadband connection”

    I am. But when I was with Vodafone, I was on DSL through my phoneline. Trackers still put me in Limerick!

  5. Bríd says:

    I should add: Mr Traynor’s experience was horrific. And if it had been me, I’d have tried to track the little b*st*rd too. I’m just wondering if he’s sure that what his IT friend did was “above board”.

  6. evertb says:

    Brid,

    I have discussed this with Leo and you can take my word that the methods used were completely above board.

  7. Leo Traynor says:

    Hi Bríd,

    I’d have asked exactly the same question.
    The methods I used were verified as legal & “above board” by an independent data protection specialist. My blog was read by a lawyer & by the youth’s parents before I published it and I removed a lot of the specifics to protect the minor’s identity.

  8. QuestionOfTruth says:

    I’m afraid that the method you’ve given won’t resolve to the correct location for the vast majority of home internet users who will have DHCP assigned IP’s from their ISP. As such it almost certainly can’t be the method used.

    Assuming the real method used was actually “above board” then it’s kind of puzzling that he’s hesitant to release it. I wouldn’t even care if he used more underhanded methods, I certainly would be willing to if faced with what he was faced with, but he has specifically said that they were above board while also maintaining the need to be vague.

  9. evertb says:

    @QuestionOfThruth Yes & no. ISP’s do indeed in the majority of cases assign ip addresses to users via DHCP. However the important point is how long the “lease” on the assigned IP address is. The trends has moved to longer & longer leases resulting in a large enough time window to event track a dynamically assigned IP address. I actually mention that in the post already.

    Note: I also mention that no method is 100% foolproof.

    • QuestionOfTruth says:

      Okay, I concur that a router can keep the same IP for a very long time these days, particularly on some ISPs (and possibly even indefinitely), and also that there are other methods and that none are foolproof.

      However, I don’t think that the length of time the IP stays on the same router is relevant in this case. The only way for the IP to ever get “tracked” via legitimate means by one of these database would be via something not based on the IP and requiring code to be run at the location or information to be freely given. For instance a page with html5 geolocation being run and the results being logged by IP. I don’t know of any legitimate sites that actually do this though, the iptrackeronline site certainly makes no mention of it. And the site would have to be pretty ubiquitous to have any impact. Devices that do make anonymous geolocation reports to the databases of google etc are clear that they’re anonymous … I haven’t actually checked but I would have assumed that means they don’t include IPs.

      Failing the above, the database is just going to have the same information it has always had, namely that the IP address comes from a pool of IPs owned by your ISP and thought to be handed out to users in city X.

      • evertb says:

        1) As I said this is not 100% foolproof but works in a lot of cases.

        2) As I have done this before I can attest that it works. Even in cases where an exact address
        cannot be extracted you will get a fairly general location which will assist with further searches
        and cross referencing. Tracing the IP address alone will more often than not be enough but
        it’s the first the first step that will guide you in the right direction.

    • QuestionOfTruth says:

      Well, I have to say that I think it’s going not to give you even street level accuracy on a home user 99% time, so really we’re just talking about region of the country or city the vast majority of the time. This might be enough to get you going if you’ve already decided on a narrow pool of suspects (e.g., people you know) and there happens to be not too many candidates in the area, but not otherwise.

      I’m only currently seeing two legitimate reasons why he wouldn’t just give the method
      1) It involved him trying to trap a lot of his friends (through tracking emails etc), who might be hurt by the fact they were under suspicion. I guess this could be extended to some other totally legal but slightly unethical methods.
      2) It involves something that would only be applicable to the culprit. Such as the dad was running a business from home and had a DNS entry for his static IP address.

      Of course, if either of those were true then the IP geolocation thing would be something of a red herring. Obviously it could be a reason I haven’t thought of.

      FWIW I’m just curious. I’ve realised my username is demanding “truth” for truth’s sake but that’s not actually what I’m going for. I’m just genuinely interested in how it went down.

    • Mark Baker says:

      OK, well I have a static IP address for my DSL connection. Where do you think I am? Hint: it’s 100km from Croydon, which is where ipaddresstracker.com thinks I am.

      What I suspect happened in Leo Traynor’s case is that it came up with the same city as his friend, and he then checked the IP address on emails received from his friend to confirm it.

      • evertb says:

        Mark, please read my blogpost again. Nowhere did I say that I can determine someone location solely by their IP address (however this has happened on a few occasions).
        As for your suggestions re Leo’s method; that would be a possibility but is not what happened here…

  10. evertb says:

    @QuestionOfTruth You’re incorrect in your assumptions, both on the accuracy of linking an IP address to a geographical location with a satisfactory level of accuracy *and* in your reasoning on Leo Traynors methods.

    • QuestionOfTruth says:

      Interesting. If you come up with an example of a DHCP home user’s IP address resolving to something that’s even claiming to be their street address (rather than location given to the pool that the address came from) then please post it, as I’ve never seen it. Any example will do.

      wrt my reasoning on his methods, I had definitely expected 2 to be correct. If the method doesn’t reveal the culprit and is both ethical and legal then it seems odd that we’re having this conversation.

      • evertb says:

        OK, I am not going to disclose anyones personal details here but will give you a few IP addresses which you can simply run through the website referred to above. Again, this is only part of the process (as I have explained ad nauseum). However these IP addresses will trace back to locations in residential areas rather than some ISP’s office.

        62.8.228.24
        79.97.248.75

        Another good source for tracking details are the numerous websites listing IP address against user details. Crunchbase is one of them: http://www.crunchbase.com/edits?page=54820

        • QuestionOfTruth says:

          You’ve given two examples:
          62.8.228.24: A field in Germany that the surrounding IP addresses also map to.
          79.97.248.75: A UPC address, tracking to the same place that all the other UPC addresses in Dublin track to, either the grand canal by Mespil Rd or Dame st, depending on which service you use to do the lookup (you can look at mine if you don’t believe me).

          Neither of these examples demonstrate the accuracy you are suggesting. I said that we’re talking about “region of the country or city the vast majority of the time.” and you said that I was incorrect, but you haven’t given an reasonable example.

          Crunchbase! Finally something new (previous to this you hadn’t given anything that wasn’t already in Leo’s post, just a more detailed explanation of it). This is NOT ip geolocation, and you and Leo haven’t this method before. The likes of wikipedia do the same. However, they generally do NOT map IP addresses to users as you say, but rather IP addresses to edits. If the person has logged in then their username will be shown rather than their IP address. It would definitely be possible that you could work out information about an IP using such methods, particularly if they’re very active in the internet.

          • evertb says:

            OK, I gave you the wrong set of IP addresses. (smacks head):

            71.57.25.113
            76.25.207.82

            Anyway, I think you get my point by now.

            • CyberYul says:

              You can check those IPs in RIPE database and it’ll tell you that both belong to Comcast, one is from Colorado range and the other one from Illinois range. Decide a pair of longitude and latitude values for those states and there you have your “iptrackeronline”
              Illinois block is half a B class and Colorado is a whole B class block, so you get the same results for more than 32000 IPs in Illinois and more than 65000 IPs in Colorado. That’s far far far from accurate.

              We get your point anyway :)

            • Andrew says:

              OK, take the first one, 71.57.25.113 – I get Schaumburg, Illinois. Now try 71.57.25.114, 71.57.25.115, etc. Or even try 71.57.24.113. There’s a huge block of IPs all resolving to exactly the same address.

    • DaveJ says:

      Nope, QoT is not incorrect in his assumptions. It is practically impossible to pinpoint to the degree you claim, by websites like these. The websites you mention do not have any other information than what is publicly available. Unless the ISP add home address information to the routing mechanisms of their equipment, it is just not possible. the closest you could get (depending on the level of division of the ISP’s network) is a cluster of houses, a steet, a neigbourhood. Sometimes the end user IP has no DNS record agains it, sometimes it does. If it does (the ISP does this for management reasons) then you might glean a little more information about the location. But an actual address? I think Mr. Traynor’s IT friend was extremely lucky with his trace.

      You must not forget that Mr. Traynor has not divulged all information that was harvested from his pal’s exercise, he could have been given more information that led him to the culprit. but a simple scan? unlikely, very unlikely!

      • evertb says:

        @Dave As I keep expalining over & over again; plugging the IP address into one of these trackers nrrows down the location fairly significantly. Once you have this information you can then cross-reference it with other data which is readily available online to help you form a clearer picture of the person in question. If the IP address links to a name online you can then add this name to the search keywords to find out even more. It’s all parts of the same puzzle.
        Basically it’s nothing but good old fashioned research.

        I fully agree that no IP address will give you an exact address and *that’s all you need*. However my point is (and I seem to have failed in bringing this across) that nobody is as anonymous online as they think they are..

        • Matt says:

          It’s not a stout point, is I think the point trying to be made here. You’re inferring that you can relatively easily locate someone online through an IP, or at least have a decent chance to narrow their location, and that is somewhat accurate.. but just having the IP, AT BEST.. At the very best in the vast majority of cases.. will only show you the city the person lives in. That is next to useless unless the Troll has managed to slip up and give their name and possibly age.

  11. Bob Andray says:

    QOT is right. The idea that a consumer-grade DHCP ip address resolves to a particular house (street, area) is out of a bad Sandra Bullock movie. When QOT points this out, we get hand-waving and arguments from authority.

  12. Andrew says:

    I am interested in the methodology used. Funnily enough the people commenting on this at the Guardian in particular are really surprised at the easiest section of the process (tracing an IP to a physical address) but I’m pretty sure Twitter doesn’t make IP addresses public in the tweet or message headers so I’m confused about how you’d get an IP to look up from those. Well, legally at least.

    • QuestionOfTruth says:

      @Andrew, the twitter account was closed and the troll was lured to another place (like this blog for instance) where the owner can see the IP addresses of those posting. However, the “tracing an IP to a physical address” section has not yet been resolved.

      • Andrew says:

        Oh I don’t know, if his IP was static you can get a decent idea and if you have access to previous emails from the address it’s easy enough to just take a look for a matching IP. If it’s dynamic then it’ll probably renew once every 24-72 hours so that puts a time constraint on it but it’s still possible.

        I missed the bit about a private blog in the story so I assumed he’d got an IP from Twitter, that’d mean either a man-in-the-middle or someone breaking into Twitter’s database for DMs and finding the entry for that message. Both very illegal but with that solved the rest of this is perfectly routine.

        • QuestionOfTruth says:

          @Andrew, nah if the IP is dynamic it isn’t going to renew at anything close to that rate. In any case, what you’re talking about is matching the IP to somebody you’re in contact with (via email or IM or whatever). This is not tracing an IP to a physical address, it’s matching the IP to one of your contacts. That’s definitely possible but it isn’t what they’re saying they did.

          • Andrew says:

            The renew rate is actually variable by a huge margin but I’ve dealt with home connections that renewed at the far ends of that estimate. As variable as that is the quality and precision of tracing an IP address to a physical location since it depends so heavily on the network topology, however I’ve routinely been able to track company addresses to physical buildings to roughly a street’s accuracy, I think it depends a fair amount on what part of the country you’re in.

            As for the precise method of tracking, all it says in the blog entry is that three IP addresses were retrieved, one of which belonged to his friend. If it were me and I was looking for a match I’d start by finding a rough area and working out which of my suspects lived inside that area rather than trying to use a single method. I’d guess that the IP address was roughly in the area of one of his friends and that the IT bloke had probably been given a ‘by any means necessary’ license and had emails to check it against. Either that or he got given a rough area and decided to bluff the rest to try and elicit a confession.

            I really wouldn’t say whether this is true or false but given that it’s possible and that this isn’t said to happen all that often it wouldn’t surprise me if someone had finally got lucky.

            • QuestionOfTruth says:

              I think we’re in agreement here. A home DHCP address isn’t going to be renewed every 24-72 hours unless the connection is flapping a lot. Company IPs are a totally different beast, as they’ll often have DNS records or have the IPs registered to their name. I agree on it being possible to trace an IP if it belongs to a limited pool of suspects but I already suggested this and Evert said it didn’t happen like that (i.e. even with a rough area they’re still dealing with everybody who lives in that area rather than a select group).

  13. Tim says:

    I wonder if all people commenting have read both Mr. Traynor’s blog and this one. He clearly states that he baited the troll on his blog and the bait was taken. His administrative rights to his blog provided the most accurate information.

    • Andrew says:

      Well I wouldn’t know about his blog but I read it on the Grauniad and on there it’s only briefly alluded to, it says he redirected people to his g+, facebook and personal blog and two of those three have the same issue as Twitter, I just skipped over one word.

  14. Tom says:

    Speaking as one of the ‘ignorant’ people who queried this (FYI I work in a major ISP and am partly responsible for the IP trace systems) it is *not* generally possible to take an IP and resolve *to an address*, as Leo Traynor’s original post suggested, as that kind of thing requires IP lease records and customer account details which tend to be rather closely held.

    Of course, in many cases steps as suggested here will get you to the approximate area and if you have other data to cross-reference you might get closer than that but my very non-moving very geolocated cable public IP is commonly placed across about half of west London by online location services.

    I assumed that for the sake of brevity/legality/privacy that not all steps in the investigation were included, such as cross-referencing the IP, which is pretty much what Mr. Traynor’s saying in the comments.

    • evertb says:

      @Tom, you are absolutely correct. Both in pointing out that it needs to be cross-refferenced (as I said before) and in assuming that “for the sake of brevity/legality/privacy that not all steps in the investigation were included”….
      Point is that Leo with some help was able to find the person behind all the abuse and that it did *not* require protected data only accesible with a warrant.

  15. [...] to remain anonymous, but another IT professional, Evert Bopp, outlines the techniques involved on his blog. Here are the [...]

  16. [REDACTED] says:

    These tactics are all interesting, but useless when dealing with a technically able USENET
    troll, that knows how to use a re-mailer service, Google Groups, and forged headers.

    Recently there’s been a spate of ‘trolls’ in the alt.support.shyness USENET newsgroup, Perhaps the maintainer of this blog can use his talents to ensure the these ‘trolls’ are unmasked and
    appropriate care given.

    • evertb says:

      I agree. If you are harassed by someone who has the skills you describe it will be almost impossible to trace them. However in most cases people who troll/stalk/harass other people online do not have such skills or eventually slip up in some way.
      We can discuss exceptions as much as we want but the methodology described in my blogpost works in the majority of cases.

  17. Stephanie says:

    Mine took me to exactly where I am

  18. NiallOK says:

    Very interesting … and Leo’s tale makes for very interesting reading too.

    Using iptrackeronline.com took me to Mespil Road on the south side of the city. I’m not there, but I’d imagine that form my tweets, etc., it’d be easy enough to find where I am/where I live.

    • Mark Baker says:

      If your tweets have enough information for people to work out where in the city you are, they almost certainly also have enough information for people to work out which city! So I don’t see how ipaddresstrackeronline is any help to anyone.

  19. dave says:

    If a troll is using a proxy ip it is also next to impossible to trace them.

    • evertb says:

      It depends. Sometimes a “troll” will slip up, forget to sue the proxy, make a post under a different name with their own IP address etc. Tracing them can be a long process.

  20. Daniel says:

    This technique will only lead you to the ISPs server facility, not to their customer’s residence. So at best you will know the city in or near which the troll lives.

    Let’s review what Traynor wrote, in the Guardian version of his post which he has not been able to change:

    “The third location was the interesting one. The third location was a friend’s house.”

    So let’s say you get an ISP with a server farm in Dublin. You know the troll’s ISP, you know their city. How exactly do you use other data to find an individual residence? Do you Google for “Dublin ISPName”? Does that narrow it down? Maybe “Dublin ISPName antisemitic tweets”? Maybe the kid posted somewhere that he lives in Dublin, uses ISPName, and makes antisemitic tweets? And also his name? Yeah, that would work, I guess.

  21. Mariel Tan says:

    i have a really mean hater and i want to know how to get his ip address. how? :)

  22. Robert Cogan says:

    Pardon a novice. I post comments on political issues and often see insulting troll messages. SO I’m interested in seeking a little more civility by letting trolls know they can be identified. I just don’t see IP addresses like those in your addresses, e.g., banetworks 84.80.99.160. Also you write ” A lot of forums will include the posters IP address in their message.” I’m just another commenter, not the blog or discussion forum administrator. Can I find such IP’s? AM I missing some little click step you are performing? Can you name a couple political forums where I can see the IP’s of commenters? THank you.

  23. zack says:

    Hi,
    I came across your blog while looking for a way to nab a troll that has given me sleepless nights.
    They have posted ads of my pics, details and contacts in funny dating sites and are hell-bent on spoiling my name since any google search of my name brings up those websites. I havent been able to get a job for a long time and this aint helping things at all.
    I have a hunch who the culprit could be but i need to nab them squarely and put an end to this. My question is, can i get their IP address from the malicious ads? Please help.

    Distressed Zack :(

  24. [...] Provider, a fairly exact location, the map coordinates and a satellite view of their location,” writesBopp. The Google stock advice comment spam above, for example,  appears to originate from an [...]

  25. LF Buckland says:

    This is really helpful as a way of tracing the IP of trolls via blogs. But, how do you trace Twitter trolls?

  26. My ex was coming into my blog using alias and harassing and slandering me. I had blocked his IP#, username etc but he was still getting through. So I kept track of all the IP#s he was using and they were all within a few numbers of each other. I put them all into an IP tracking program and discovered they were all at the same lat and longitude. I went to another site where you can put in the long and lat and get an exact location. From there I went to google street view and discovered he was using his laptop in front of a condo unit and must have been hooking into everyone’s internet. I sent him an email busting him and he stopped.

  27. mani says:

    Any ideas how to track down a facebook troll?

  28. Vicki says:

    Need help with identifying this person. Constantly clicking on my google awords which is stopping us from making a living. Have the ip address and it shows th location but like that its facing a canal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s