That seems to be a major aspect. There are hundreds of VPN services. They compete on many dimensions, such as speed, security, not retaining any logs, and the number of server locations. And some of them have insane numbers of server locations.
Anyway, I've been look it this issue for a while, using ping services (such as asm.ca.com, maplatency.com and ping.pe). For HMA and VyprVPN, only about half of the servers seem to be located where claimed. And HMA claims to have one in North Korea ;)
What I'd be really concerned about is -- how are these VPN services getting their fake locations to show up on Maxmind? Is Maxmind simply taking their word for it when they claim that one of their IP ranges is in North Korea, for instance? Or is there some deeper trickery going on?
I don't know how Avast (HMA) does it. I'm sure that there's more to it than lying to MaxMind etc. I do know that, as long as the ISPs don't object, one can announce an IP from one ISP on another. I also know that one can tunnel ISP uplinks.
HMA (Avast) claims that fnj-kp.prcdn.net is in Manpo, North Korea. MaxMind now reports that two of its IPs (5.62.61.64 and 5.62.61.65) are in Prague, Czechia. And the third (5.62.56.160) in Seattle, WA, US. But ipinfo.io still reports North Korea for all three.
But peering is complicated. There are two ISPs in Zurich, for example, with ~25 msec rtt between them, but ~5 msec ping to other nearby cities. They just don't speak directly it seems.
I'd say look up BGP (Border Gateeway Protocol,) but the wiki page buries the important parts, since it describes the protocol state machine and packet format before even attempting to give a high level picture.
AS, standing for Autonomous System, is like an ISP's name. BGP spreads routing information by rumor. For example, I start the rumor that I can route to IP addresses in 1.2.3.0/24, and tell my peer ISPs. They tell their peers I told them... etc. To prevent rumors from going in circles, you keep a record of every ISP in the path of spreading the rumor, and call it the AS path. (Otherwise you could never retract the rumor, as it would go in circles. BGP speakers do not accept rumors that they themselves are in the path of. (Except in cases of dirty hacks, but then only a finite number of times.))
This article describes fraudulent AS paths attached to (as I understood it) IP ranges that were legitimately owned by the people advertising them to Hurricane Electric. This is like you telling Hurricane Electric that I (the North Korean ISP) told you that I can route to 1.2.3.0/24, an IP address range you own, even though I told you no such thing and we are not even peers.
Avast, NFOrce, etc. can update their BGP routing information with a routing registry probably by just sending an email with some authentication details. Apparently the veracity of provided information is not checked. The information then gets propagated to a shared routing registry database offered to the public for free by a handful of registries via WHOIS.
The blog author suggests that the inaccuracies in Maxmind may originate from fake information in WHOIS.
This paper discusses accuracy of GeoIP databases. It concludes they are between 96-98% accurate at the country-level. Maybe the database compilers would use delay measurement for the 2-4% if the inaccuracies follow some pattern, e.g. they are consitently associated with particular countries. Maybe they already use this method. I don't know.
This is a bit beyond my knowledge of TCP/IP, however, does this support Putin's assertion that hackers can make an attack appear to come from Russia when they could be based somewhere else? How much work do you have to do to make it that your IP address is from somewhere credibly in some other country?
I'd say not really. BGP based lies are hilariously easy to spot, and can be observed by any ISP in the world. When the US Intelligence community blames Russia for hacking they aren't just doing geo-ip lookups and believing what they see. Anyone with a credit card these days can rent a server in any country anyway, so origin of traffic is more or less useless.
You can use a service that pings (or traceroutes) a given address with multiple probes. Round-trip lightspeed is 150 km/msec. So if you see a probe location with minimum rtt on the order of 1 msec, that's about where the address is. And conversely, if you see probes at the claimed location with minimum rtt over 20 msec, be suspicious.
Also, you can also have your attack derive from Russia. Russia (the government or a Russian hacker group) doesn't have to be behind the attack for it to look like its sourced from Russian internet space.
This is mostly unrelated, but is the AARNet peering with China Telecom in this article meant to be legit or fake? I think it's meant to be legit, but I can't get past AARNet misspelling their own name - "Reasearch" (sic).
That seems to be a major aspect. There are hundreds of VPN services. They compete on many dimensions, such as speed, security, not retaining any logs, and the number of server locations. And some of them have insane numbers of server locations.
Anyway, I've been look it this issue for a while, using ping services (such as asm.ca.com, maplatency.com and ping.pe). For HMA and VyprVPN, only about half of the servers seem to be located where claimed. And HMA claims to have one in North Korea ;)
Some