How do you determine to whom an IP is even registered to? They get sub-leased all the time.

The best you can do is check who has administrative control over the prefixes RIR info, but that doesn’t mean that anyone with control is the factual user of the IPs.

You could check the IRR for the ASN and base it on that, but still.

There's also no way to actually know _where_ an IP actually originates from. Only its AS path.

The DFZ contains all prefixes announced everywhere, for the internet is completely decentralized.

You check the RIR's records.

> They get sub-leased all the time.

With records updated. If not, any consequences from wrong information fall on the lessor and lessee.

> There's also no way to actually know _where_ an IP actually originates from. Only its AS path.

Ping time from different locations on their upstream AS gives a good guess.

Not always + there are no consequences whatsoever.

Plenty of leasing services will just provide you with IRR & RPKI, without ever touching the actual records.

> Ping time from different locations on their upstream AS gives a good guess.

Upstream AS is meaningless if it's a T1 carrier. Ping AS6939. They are everywhere.

Texas (measured from Texas):

  8  port-channel13.core4.dal1.he.net (184.104.196.170)  1.830 ms  1.969 ms *
  9  ns1.he.net (216.218.130.2)  1.539 ms  1.560 ms  1.555 ms

  11  port-channel2.core1.ash1.he.net (184.105.222.174)  19.666 ms 24.395 ms *
  12  ns1.he.net (216.218.130.2)  16.748 ms  17.268 ms  20.507 ms

  8  port-channel13.core1.fmt2.he.net (184.104.188.144)  3.830 ms be7.core1.sjc1.he.net (72.52.92.132)  5.197 ms port-channel13.core1.fmt2.he.net (184.104.188.144)  3.901 ms
  9  ns1.he.net (216.218.130.2)  2.600 ms  2.435 ms  2.728 ms

They are everywhere. It's a global carrier. Carriers also know no geographic boundaries.