Multiple IPs from same computer? [solved]
Moderator: General Moderators
Multiple IPs from same computer? [solved]
I have a download page with links to download script. I've been monitoring IP addresses of the remote_addr of people that log into the download page and comparing them to those who try to access the download script. Once in a rare while when someone logs in from say 65.100.105.22 then they click to download something which executes the download script it logs something different like 65.100.105.30. This only happens once in about 6 months and because the download script blocks requests from IP's that are not logged in the script fails. But I've found that these cases are legitmate users who are logged in and just trying to download something.
Does anyone know why a different IP would appear? Is this caused by a router firewall that is balancing loads or something? I don't get it.
Does anyone know why a different IP would appear? Is this caused by a router firewall that is balancing loads or something? I don't get it.
Last edited by Eric! on Fri Nov 13, 2009 8:11 am, edited 1 time in total.
- Peter Anselmo
- Forum Commoner
- Posts: 58
- Joined: Wed Feb 27, 2008 7:22 pm
Re: Multiple IPs from same computer?
I would guess they are browsing from an ISP that uses revolving IP addresses (most do by default). Perhaps their IP address changed while on your site, but since they were using the same session/cookie, they stayed logged in.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: Multiple IPs from same computer?
This.Peter Anselmo wrote:their IP address changed while on your site, but since they were using the same session/cookie, they stayed logged in.
Re: Multiple IPs from same computer?
Also, some users may have load balanced links to one or several ISPs (e.g. three ADSL modems connected to a load balancer).
This way while a single HTTP session is passed through a single link, it's not guaranteed that the next HTTP session will use the same link again.
We had a related discussion here : viewtopic.php?f=19&t=96910
This way while a single HTTP session is passed through a single link, it's not guaranteed that the next HTTP session will use the same link again.
We had a related discussion here : viewtopic.php?f=19&t=96910
There are 10 types of people in this world, those who understand binary and those who don't
Re: Multiple IPs from same computer?
I think this may be the case as the get request for the page and the download links are within 10's of seconds apart yet come from different ip addresses. It happened consistantly with this user while I tried to debug it. The locking of an IP seemed like a good idea but I guess it's back to sessions only.VladSun wrote:Also, some users may have load balanced links to one or several ISPs (e.g. three ADSL modems connected to a load balancer).
Thanks for the link too. If only I had read it earlier...
Re: Multiple IPs from same computer?
Do you know approximately how many different IP addresses were used by a single user, within a typical single-visit timeframe?Eric! wrote:I think this may be the case as the get request for the page and the download links are within 10's of seconds apart yet come from different ip addresses.
Did such users only jump between two or three different IPs, or between varying IPs within a limited network range (e.g. did they all look like 65.100.105.*) or were the IPs really completely random?
Re: Multiple IPs from same computer? [solved]
This user only had purchased one item so his session was limited to just logging on and downloading one item. I also know this guy is low tech and not running anything locally like a vpn. The download request seems to come from the same IP so perhaps there is a header type that the load-balancer detects and moves to another address...? They were all from the same network range. So you could just ignore the last set of numbers and still do some sort of IP lock that way. But it seems this idea has some fundamental flaws that I hadn't considered before.
Here's an example sesson:
Logged in: 64.xxx.yyy.202
HTTP GET for script: 64.xxx.yyy.136
Another time
Logged in: 64.xxx.yyy.130
HTTP Get for script: 64.xxx.yyy.136
Unless they are using TOR or something I wouldn't expect random IPs. But I've been wrong before.
Here's an example sesson:
Logged in: 64.xxx.yyy.202
HTTP GET for script: 64.xxx.yyy.136
Another time
Logged in: 64.xxx.yyy.130
HTTP Get for script: 64.xxx.yyy.136
Unless they are using TOR or something I wouldn't expect random IPs. But I've been wrong before.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: Multiple IPs from same computer? [solved]
Using TOR for downloading? That'd be... slow. I don't find my IP address to be important enough that slow download speeds are worth the privacy.Eric! wrote:Unless they are using TOR or something I wouldn't expect random IPs. But I've been wrong before.
Re: Multiple IPs from same computer? [solved]
Just as a follow up to this. I've had some security code in place for about a year now that prevents logged in IPs from downloading files if the first 3 sets of numbers from their sub-net doesn't match. This has worked great because any load balancing networks usually only vary the last portion of the sub-net.
However I ran into one valid user who had this network setup:
Login IP (200.56.182.*)
Download IP (201.225.58.*)
I verified this multiple times that his http GET requests were from the login ip and each binary download was routing through the other IP. My program blocked this, so I had to go in and fix it just for him, and then put it back after he was finished. But it was really weird.... I still feel like he was trying to do something tricky, but he had paid and it was a valid user.
However I ran into one valid user who had this network setup:
Login IP (200.56.182.*)
Download IP (201.225.58.*)
I verified this multiple times that his http GET requests were from the login ip and each binary download was routing through the other IP. My program blocked this, so I had to go in and fix it just for him, and then put it back after he was finished. But it was really weird.... I still feel like he was trying to do something tricky, but he had paid and it was a valid user.