33

I've got a list of hundreds of page requests from the same IP and I need to know if these could be requests by different computers.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
Emanuil Rusev
  • 901
  • 3
  • 10
  • 16
  • 15
    Look into "NAT". If an entire university goes out through one public IP, all those clients will appear to you as one IP address. – Sirex Aug 31 '11 at 14:15
  • 23
    as an aside, this is why using the IP address as an identifier for a client ip is often a really bad idea :-) – Sirex Aug 31 '11 at 14:26
  • 2
    RE: The 12-hour ban hit large numbers of people in the country because all web traffic in Qatar is routed through a single net address. http://news.bbc.co.uk/2/hi/technology/6224677.stm – Boris Treukhov Sep 01 '11 at 12:34
  • 1
    as an aside, this is also why NAT is a really bad idea – b0fh Sep 01 '11 at 14:23
  • 3
    @b0fh: Actually, that depends on your situation - if you had, say, a finite address space (e.g. 2^8 addresses), a larger number of simultaneously connected devices (e.g. 2^16), and no usable alternative (all of which would not be an unlikely scenario for an ISP in the late 1990s), NAT would fit the bill quite nicely. – Piskvor left the building Sep 02 '11 at 13:24

7 Answers7

59

There is no limit to the number of computers, however there is a limit to the number of simultaneous connections because of the possibility of ephemeral port exhaustion. More computers usually means more connections so there is a practical limit to how many computers will typically share the same IP address. Usually with a very large number of computers, multiple IP addresses will be shared in a pool to be used for NAT.

DuckMaestro
  • 205
  • 2
  • 8
Jason Berg
  • 19,084
  • 6
  • 40
  • 55
  • 24
    +1 for the spectre of port exhaustion (too often overlooked when NATing) – voretaq7 Aug 31 '11 at 16:19
  • 8
    +1 for making me imagine a really boring Mass Effect. "Now that you're a Spectre, go reroute all outgoing ports in tower 3 in the Citadel to tower 2, with minimal latency, please." –  Aug 31 '11 at 20:14
  • Does this mean that it's unlikely to have like 5 identical requests from different "same IP" computers in one second? – Emanuil Rusev Sep 01 '11 at 15:05
  • 4
    @Emanuil Rusev No. There are 65,536 ports, so the NAT router can allow 65,536 connections from 65,536 different computers at the same time. In theory, that's only to a particular IP address; they could have another 65,536 computers using those ports to connect to another IP address. In sum, if you got 100,000 requests from the same IP, then they are probably from less than 100,000 computers. But you can't say much more than that. – Richard Gadsden Sep 01 '11 at 15:18
  • @SoldOutActivist, ???? – Pacerier Mar 11 '17 at 02:16
  • @RichardGadsden, But what about the hardware... can it settle 65535 * 65535 simultaneous connections? What's the bottleneck limit? – Pacerier Mar 11 '17 at 02:17
55

As many as can dance on the head of a pin - Or more accurately as many as an administrator wants to hide behind NAT.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • So a 1000 is possible? – Emanuil Rusev Aug 31 '11 at 14:15
  • 28
    1,000,000 would be possible, never mind 1,000. – Mike Scott Aug 31 '11 at 14:17
  • 9
    Even worse - a complete wireless provider can be behind that. They typcially do not expose public IP addresses. I mean someone like Vodaphone customers can all use a small number of IP's. – TomTom Aug 31 '11 at 16:17
  • 6
    One mobile Internet provider in Austria hides all his phones behind one IP. Causing big trouble in some rate-limiting scenarios. – mailq Aug 31 '11 at 16:56
  • 2
    @mailq which one is it? – orange80 Aug 31 '11 at 21:22
  • I run the network for a small college, and all our students, faculty, and staff appear to use the same IP (we're behind NAT). My predecessor's didn't have the foresight or weren't able to snag a /16 back in the days when they were still handing them out. – Joel Coel Sep 01 '11 at 03:14
  • 1
    So, I haven't studied NAT for a while but if the implementation is simply that the NAT is mapping return ports for client hosts to a set of return ports on the outgoing connections, that would allow for a theoretical maximum of 2^16 outgoing TCP transactions. I figure if you wanted more than that you simply map the outgoing ports for local and outgoing to the local and outgoing IP addresses. Correct me if I'm wrong but there is no practical theoretical limit to the number of hosts sharing a NAT ... – dannyman Sep 01 '11 at 04:09
  • @dannyman: what's a "practical theoretical limit"? – Lie Ryan Sep 01 '11 at 07:37
  • @orange80 It is Mobilkom (AS 16305) with their A1 (or reseller/rebranding) all hiding behind 194.48.133.8. But as I can see now they changed something in the beginning of July. No abusive behavior since then. – mailq Sep 01 '11 at 08:05
  • There's only 65,535 ports those machines can NAT behind. – Ian Boyd Sep 01 '11 at 11:26
  • In some cases a single IP may be shared by users of multiple ISPs - for example if your site is on a national censorship list. It happened to wikipedia in the UK - http://www.wired.com/threatlevel/2008/12/wikipedia-block/ – Colin Pickard Sep 01 '11 at 11:29
  • 3
    @Ian Boyd: The complete identifier for a TCP session is and with sufficient state in the NAT table, you can share either src or dst port if the other one is different. It's not usually done that way, though (thus things like "cone-shaped NAT" working most of the time). – Vatine Sep 01 '11 at 12:39
  • @Lie Ryan: A "practical theoretical limit" would be a theoretical limit that would be encountered in practice. You could theoretically stuff 65,000 hosts behind a NAT ... I guess this could possibly be attempted by a provider due to IPv4 exhaustion. :/ – dannyman Nov 09 '11 at 20:57
13

Besides NAT, they could be behind a proxy. if the proxy is nice to you, you might find more informations in the HTTP-Headers of the requests. Look for X-Forwarded-For headers, which might help you to get closer to your real usercount.

Silent-Bob
  • 1,066
  • 6
  • 9
  • 1
    And if the proxy is particularly un-nice, the X-Forwarded-For can be faked. That can be done by any normal client too. – Pacerier Mar 11 '17 at 02:18
13

Even better, you could have a single computer behind a corporate gateway use a different IP on each hit, because of a load-balancing reverse proxy. Don't use IP as identifier. Just don't.

Randal Schwartz
  • 395
  • 1
  • 9
  • Alternative solutions? – Pacerier Jun 14 '12 at 17:22
  • alternative solutions? make people login or otherwise identify themselves if uniquely identifying visitors is important. or use anonymous cookies (and even that identifies only the browser session , and not the user - some people routinely clear their cookies between sessions or configure their browser to do so automatically. similarly, some peope do unsavoury/unhgienic things like sharing computers and login accounts). IP address-based "identity" is about as accurate as matching a person in a city of thousands or even millions knowing nothing about them but their hair-colour. – cas Jun 25 '12 at 02:58
  • of course "make people login" requires that there is enough value TO THE USER in your site that is worth the bother and potential privacy risk to do so. – cas Jun 25 '12 at 02:59
  • @cas "make people login" means that users subject to rate limiting on grounds of past low-quality contributions will just create a new account to evade said rate limit. – Damian Yerrick Sep 11 '17 at 20:42
  • Large networks use a pool of public addresses for NAT, not necessarily for load balancing put to avoid port exhaustion. The same client can possibly make several connections to the same destination from different public IPs. – Zac67 Oct 24 '17 at 21:09
10

It's fairly typical for an ISP to give a customer just one IP address. In order for a router to allow multiple users on a private network to utilize this address it uses NAT (Network Address Translation).

SpacemanSpiff
  • 8,753
  • 1
  • 24
  • 35
  • 3
    My ISP doubles down on this effect by giving me one IP address which itself is blatantly, clearly run through NAT. So my connections actually go through two translations. – jprete Aug 31 '11 at 20:59
  • See http://www.faqs.org/rfcs/rfc5684.html for more horror NAT scenario's. – MSalters Sep 01 '11 at 13:24
4

Of course they can.

If you're on a network and you have 1 public IP address, each page request (even if it comes from different computers) still comes from the same IP address.

DKNUCKLES
  • 4,028
  • 9
  • 47
  • 60
1

There can be any number of computers on a LAN (It may depend on the physical medium used between them i.e. cables, repeaters etc.), normally there is a single Gateway (at least one is required) to connect to the Internet. These Gateways normally have multiple IPs (both private and public) for the communication.

Now as the LAN can inturn be set of LANs... figuring out the correct client is a herculean task if not impossible... Though you can still get to that by looking to the routing tables of Gateway or by accessing NAT...This Link may help

Most of the times public IP is used by ISPs and Large or Mid size Organizations... That is why using client IP is not considered a wise idea now a days.

Community
  • 1
Amit
  • 221
  • 1
  • 2
  • 9
  • How do you solve the problem of "*That is why using client IP is not considered a wise idea now a days*"? – Pacerier Mar 11 '17 at 02:25