Tracking down your troll – The role of IP addresses

I had a letter from Colin Green on behalf of the Department for Culture Media and Sport the other. In part of it he said I was “confused” about Internet trolling, when I’m the leading expert. Here is something else he said, which I as a Chartered IT Professional Fellow of BCS – The Chartered Institute for IT know to be false:

We understand from Facebook that their policy is to comply with the UK legal framework for  disclosure of user data to third parties in that, when there is legal justification and obligation, they share information such as IP addresses and basic subscriber information with relevant  law enforcement authorities; and comply with legally-authorised requests for such disclosure  by private individuals. However, ultimately, IP address data may not be useful; IP addresses are frequently shared or recycled, making it difficult to identity a specific individual.

The reason I know this is false is because I have been involved in the Internet industry since I was 19, and used it since I was 15. This is probably longer than Colin Green has been able to use a computer at all! An IP address can be a very effective means for Troll Hunting individuals who have abused you, if they happen to work at an organisation or have a fixed IP address.

If you run a website for which you have control over the hosting, it is likely that you will have access to a serverlog. This is a file that lists all the computers that have accessed your website and which pages on that website they have accessed. I recently had a number of trolls target a webpage on The Crocels News that was an article I wrote. Below is a specific range of IP addresses that accessed it.

A Serverlog can be used to identify the IP addresses that accessed particular webpages on a website at a particular time.

You can see in this picture a number of IP addresses and that they visited the webpage on The Crocels News reporting that Mike Slocombe trolled Boris Johnson. It is also possible to get IP addresses of people who have visited your website from other sources. If your website has a commenting feature, it is likely that the IP address of the person posting will be stored. You can then match this up with the serverlog by searching for it.

To find out a IP address like these belong to is simple – unless you are Chris Green of course! If you have a Mac OS X PC you can launch a program called ‘Terminal‘ and if you have a Windows PC you can load up ‘Command Prompt‘. If you have Linux you probably know which app to run and what I’m going to say next!

To find out who the IP address belongs to, you type into one of these programs the command nslookup followed by the IP address. As you can see in the photo below, these IP addresses above have been traced to a number of PCs or servers at the Ministry of Defence.

The Command Prompt application on Windows and Terminal on Mac OS X can help locate the computers to which an IP address is assigned.

Once you have this information, it is possible for the organisation that the person is accessing your website from to identify the person who was using a particular computer. You can see in the image above that machines located at the Ministry of Defence were accessing The Crocels News. These were using the names DH110, DH115, DH210 and DH212, which in some cases may refer to machine names made up from room numbers. For instance dh110.public.mod.uk might be room number DH110 in one of the MoD’s buildings. I wonder what people at the Ministry of Defence were doing accessing the Crocels News at the same time it was being trolled?

Sometimes it is possible to get the location of a computer from just using the IP address. The website, IP Address Lookup (www.ip-lookup.net) can be used to find the location of an IP address but it is not always perfect.

I will be writing back to Colin Green from the Department for Culture Media and Sport to present him with this article so he can see for himself that he has been given bad advice. How does he think that the Sussex Police were able to identify that it was a member of the police who trolled Rebecca Brookes, other than by his IP address being resolved to a specific computer that police officer accessed?

I wonder if Colin Green after seeing this would rather he sought his technical advice from me and not whoever he got his second-hand piece of misinformation from! If I have the time, I might write an article to explain to Colin Green and others how to use the traceroot (Max/Linux) and tracert (Windows) commands to pin-point the location of an IP address located outside of an organisation!

One thought on “Tracking down your troll – The role of IP addresses

Leave a Reply

Your email address will not be published. Required fields are marked *