While looking for suspicious IP address activity (to find members with duplicate accounts), we discovered IP address overlap between multiple users logging in from New York City.
When we looked at the 87 IP addresses of one NYC-based user we know well, we found another account that matched 77 of those IPs (87%). We figured this was a secondary account for this user, even though the users' grammar and punctuation differed.
But then we discovered another user shared 16 of the first user's 87 IP addresses... and this other user is one of our moderators (whom several of us have met in person).
Other users shared 4, 3, and 2 IP addresses with the original user.
Here's the thing: we are 100% confident that the original user and our moderator are different people.
We know that the original user (the one with the 87 IP addresses) lives in Queens.
We know our moderator (16 shared IP addresses with the first user) lives in mid-town Manhattan.
We know the user with 4 matching IP addresses lives in Staten Island, and the other with 2 matching IP addresses lives in the Lower East Side.
Our moderator with 16 overlapping IP addresses does not use a VPN.
How is it that in a city of 9 million people, and doubtless hundreds of thousands of wireless access points, these different users living in different boroughs have so much IP overlap?
Our moderator says:
>I do know there are three dominant internet carriers in the city, so it's possible we all use the same one and the same type of service level. Or perhaps the New York City internet network is set up on a special server where multiple VPNs are assigned and shared, for the purposes of stability and backup? And thus, all IP addresses and services are shared to some degree (because they're ultimately routed through one shared IP?) Maybe it's a response to 9/11?
Does anyone know what's going on with the NYC Internet?
https://en.wikipedia.org/wiki/Carrier-grade_NAT
Now can we finally have IPv6 please, now that even americans begin to hate the blighty NAT? ;)
Of course contacting a webserver will mostly be the same. Maybe some loadbalancers will be less confused, but I doubt an enduser will notice.
are ISPs going to use https://en.wikipedia.org/wiki/Mobile_IP though? because with a roaming ipv6 address you will have a device identifier that you may not be able to change even when roaming. advertisers couldn't have wished for something better.
Network operators will always find away to make you miserable.
IPv6 doesn't allow you to make this assumption 100% of the time either even though it has 2^128. A /64 is not permanently assigned by an ISP - especially true for mobile services - nor is every end network guaranteed to be a /64, it was just a best practice recommendation. There could be thousands of /127s in a /64 instead. Same can be said of NAT66, it's discouraged but I'm sure some ISP somewhere will do it.
Duplicate IPs for accounts can be one flag to help you look for other signs but it should be by no means proof of anything on its own nor a sign anything funky is going on with a region's internet.
Personally I’ve not been able to connect wirelessly to any of the street kiosks since about the second week of their existence. I still see the SSIDs advertised but I can’t negotiate a connection. I don’t know if that is because they are congested, broken, or that feature is switched off. I only have one near me but you can find them every block in some parts of Manhattan.
The purpose behind these is obviously advertising and I'm assuming that the most valuable data they are after is physical movement data and that it is valuable enough to subsidize the costs of running the system. However, if you don't provide them this data (by only using the service from a single fixed location) then they have nothing to gain from serving you.
2) They could be using residential IPs, which are frequently reassigned. When my router restarts, I usually get a new IP address from the ISP's pool. This is more common for some ISPs and locations than for others; at my last place, we had the same IP address for 5 years.
3) Carrier-grade NAT, also mentioned here.
It might have an unusual apparent topology, with mostly to entirely wireless backbone links based on line-of-sight. Although I think users you talked to would identify this possibility, e.g. your moderator.
The first step should've been looking up the hostnames to see what you're dealing with.
Great point.
After looking up 29 of the IP addresses, it seems 28 of them (including all the overlapping IP addresses) are T-Mobile.
Among the 29 I checked, there is 1 IP address with a different hostname (Verizon). This address is unique and not shared with any other users.
Presumably all these forum members based in New York City are all also T-Mobile customers there, it seems?
> It could be several things, but it's most likely either CGNAT, or you're using a CDN and these are their ranges.
We do, but it's configured to pass the user's origin IP to our site, rather than the CDN's IPs.
If not more, hundreds of thousands of users share a single IP on T-Mobile, if you are talking about IPv4. They stopped handing out IPv4 a while ago. It's all v6 + CGNAT.
If it's web traffic and not arbitrary TCP TLS traffic, likely even more users share it as they cache web and run it through shared proxies.
Probably 2/3 of the people I know in Berlin who use residential connections have it.
The latest matching IP address for this user was yesterday (July 6th, matching this user and one other).