While looking for suspicious IP address activity (to find members with duplicate accounts), we discovered IP address overlap between multiple users logging in from New York City.
When we looked at the 87 IP addresses of one NYC-based user we know well, we found another account that matched 77 of those IPs (87%). We figured this was a secondary account for this user, even though the users' grammar and punctuation differed.
But then we discovered another user shared 16 of the first user's 87 IP addresses... and this other user is one of our moderators (whom several of us have met in person).
Other users shared 4, 3, and 2 IP addresses with the original user.
Here's the thing: we are 100% confident that the original user and our moderator are different people.
We know that the original user (the one with the 87 IP addresses) lives in Queens.
We know our moderator (16 shared IP addresses with the first user) lives in mid-town Manhattan.
We know the user with 4 matching IP addresses lives in Staten Island, and the other with 2 matching IP addresses lives in the Lower East Side.
Our moderator with 16 overlapping IP addresses does not use a VPN.
How is it that in a city of 9 million people, and doubtless hundreds of thousands of wireless access points, these different users living in different boroughs have so much IP overlap?
Our moderator says:
>I do know there are three dominant internet carriers in the city, so it's possible we all use the same one and the same type of service level. Or perhaps the New York City internet network is set up on a special server where multiple VPNs are assigned and shared, for the purposes of stability and backup? And thus, all IP addresses and services are shared to some degree (because they're ultimately routed through one shared IP?) Maybe it's a response to 9/11?
Does anyone know what's going on with the NYC Internet?
IPv6 doesn't allow you to make this assumption 100% of the time either even though it has 2^128. A /64 is not permanently assigned by an ISP - especially true for mobile services - nor is every end network guaranteed to be a /64, it was just a best practice recommendation. There could be thousands of /127s in a /64 instead. Same can be said of NAT66, it's discouraged but I'm sure some ISP somewhere will do it.
Duplicate IPs for accounts can be one flag to help you look for other signs but it should be by no means proof of anything on its own nor a sign anything funky is going on with a region's internet.
Personally I’ve not been able to connect wirelessly to any of the street kiosks since about the second week of their existence. I still see the SSIDs advertised but I can’t negotiate a connection. I don’t know if that is because they are congested, broken, or that feature is switched off. I only have one near me but you can find them every block in some parts of Manhattan.
2) They could be using residential IPs, which are frequently reassigned. When my router restarts, I usually get a new IP address from the ISP's pool. This is more common for some ISPs and locations than for others; at my last place, we had the same IP address for 5 years.
3) Carrier-grade NAT, also mentioned here.
It might have an unusual apparent topology, with mostly to entirely wireless backbone links based on line-of-sight. Although I think users you talked to would identify this possibility, e.g. your moderator.
The first step should've been looking up the hostnames to see what you're dealing with.