
Ask HN: What's the deal with overlapping NYC IPs? - curiousnycips
We run an Internet forum with users from around the globe.<p>While looking for suspicious IP address activity (to find members with duplicate accounts), we discovered IP address overlap between multiple users logging in from New York City.<p>When we looked at the 87 IP addresses of one NYC-based user we know well, we found another account that matched 77 of those IPs (87%). We figured this was a secondary account for this user, even though the users&#x27; grammar and punctuation differed.<p>But then we discovered another user shared 16 of the first user&#x27;s 87 IP addresses... and this other user is one of our moderators (whom several of us have met in person).<p>Other users shared 4, 3, and 2 IP addresses with the original user.<p>Here&#x27;s the thing: we are 100% confident that the original user and our moderator are different people.<p>We know that the original user (the one with the 87 IP addresses) lives in Queens.<p>We know our moderator (16 shared IP addresses with the first user) lives in mid-town Manhattan.<p>We know the user with 4 matching IP addresses lives in Staten Island, and the other with 2 matching IP addresses lives in the Lower East Side.<p>Our moderator with 16 overlapping IP addresses does not use a VPN.<p>How is it that in a city of 9 million people, and doubtless hundreds of thousands of wireless access points, these different users living in different boroughs have so much IP overlap?<p>Our moderator says:<p>&gt;I do know there are three dominant internet carriers in the city, so it&#x27;s possible we all use the same one and the same type of service level. Or perhaps the New York City internet network is set up on a special server where multiple VPNs are assigned and shared, for the purposes of stability and backup? And thus, all IP addresses and services are shared to some degree (because they&#x27;re ultimately routed through one shared IP?) Maybe it&#x27;s a response to 9&#x2F;11?<p>Does anyone know what&#x27;s going on with the NYC Internet?
======
YaBa
Seems like CGNAT

[https://en.wikipedia.org/wiki/Carrier-
grade_NAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT)

~~~
corty
Yes, this has been going on for years in the IP-address third world, i.e.
everywhere but the US.

Now can we finally have IPv6 please, now that even americans begin to hate the
blighty NAT? ;)

~~~
saurik
NAT in this context is preventing the ability for whomever this is to separate
and track users. That is a _good thing_.

~~~
brianwawok
Good for people trolling. Bad for users trying to run a message board.

------
zamadatix
When people say pulbic IPs are "unique" they mean in the set of public IPs the
same IP won't be handed out to two different entities not that each end user
gets an IP that identifies them uniquely. There are only 2^32=~4.3 billion
IPv4 addresses (a very good chunk of which aren't even publicly routed on the
internet) so even if you wanted to it'd be impossible to assign IPs in such a
way given the number of users on the internet.

IPv6 doesn't allow you to make this assumption 100% of the time either even
though it has 2^128. A /64 is not permanently assigned by an ISP - especially
true for mobile services - nor is every end network guaranteed to be a /64, it
was just a best practice recommendation. There could be thousands of /127s in
a /64 instead. Same can be said of NAT66, it's discouraged but I'm sure some
ISP somewhere will do it.

Duplicate IPs for accounts can be one flag to help you look for other signs
but it should be by no means proof of anything on its own nor a sign anything
funky is going on with a region's internet.

------
wmf
You can look up the IPs in WHOIS to find what ISP they belong to. It sounds
like a NAT pool where tons of customers are being NATed to a small number
(~128) of public IPs.

------
zxcvbn4038
NYC has a ton of street level internet kiosks and open wifi endpoints around,
it’s common to have housing above store levels, and it’s common to freeload on
them if you are lucky enough to be near one. That might be what your seeing,
and as others have mentioned anyone using a cell phone is probably coming
through a NAT gateway unless you support IPv6 on your edge.

Personally I’ve not been able to connect wirelessly to any of the street
kiosks since about the second week of their existence. I still see the SSIDs
advertised but I can’t negotiate a connection. I don’t know if that is because
they are congested, broken, or that feature is switched off. I only have one
near me but you can find them every block in some parts of Manhattan.

~~~
Nextgrid
I wonder if they ban MAC addresses that spend too much time on the same kiosk
for exactly this reason, to prevent people (who don't know how to work around
it) from using it as their primary internet connection.

The purpose behind these is obviously advertising and I'm assuming that the
most valuable data they are after is physical movement data and that it is
valuable enough to subsidize the costs of running the system. However, if you
don't provide them this data (by only using the service from a single fixed
location) then they have nothing to gain from serving you.

------
phyzome
1) They could be using café wireless from different cafés that are backhauled
to the same data center (or LinkNYC as another commenter mentions.)

2) They could be using residential IPs, which are frequently reassigned. When
my router restarts, I usually get a new IP address from the ISP's pool. This
is more common for some ISPs and locations than for others; at my last place,
we had the same IP address for 5 years.

3) Carrier-grade NAT, also mentioned here.

------
Spooky23
Are they using LTE? We ran into a weird edge case issue a few years ago with
Verizon wireless. They NAT and inspect everything, including rate limiting
traffic the fit an abuse pattern. Weirdness happened more if the user was
transmitting many packets when trAnsitioning between towers.

------
mcint
It could be related to the volunteer/non-profit mesh network ISP nycmesh.net,
another ISP NAT'ing connections.

It might have an unusual apparent topology, with mostly to entirely wireless
backbone links based on line-of-sight. Although I think users you talked to
would identify this possibility, e.g. your moderator.

------
ohyeshedid
It could be several things, but it's most likely either CGNAT, or you're using
a CDN and these are their ranges.

The first step should've been looking up the hostnames to see what you're
dealing with.

~~~
curiousnycips
> The first step should've been looking up the hostnames to see what you're
> dealing with.

Great point.

After looking up 29 of the IP addresses, it seems 28 of them (including all
the overlapping IP addresses) are T-Mobile.

Among the 29 I checked, there is 1 IP address with a different hostname
(Verizon). This address is unique and not shared with any other users.

Presumably all these forum members based in New York City are all also
T-Mobile customers there, it seems?

> It could be several things, but it's most likely either CGNAT, or you're
> using a CDN and these are their ranges.

We do, but it's configured to pass the user's origin IP to our site, rather
than the CDN's IPs.

~~~
ev1
Geo IP for Verizon Wireless and T-Mobile are close to worthless; they
effectively allocate from a nationwide pool.

If not more, hundreds of thousands of users share a single IP on T-Mobile, if
you are talking about IPv4. They stopped handing out IPv4 a while ago. It's
all v6 + CGNAT.

If it's web traffic and not arbitrary TCP TLS traffic, likely even more users
share it as they cache web and run it through shared proxies.

------
cfstras
CG-NAT, more specifically DS-Lite, is being used by lots of ISPs in Europe. In
Germany, it has been the default for new consumer contracts for ~6 years now.

~~~
cpach
What is DS—Lite?

~~~
morelisp
[https://en.wikipedia.org/wiki/IPv6_transition_mechanism#Dual...](https://en.wikipedia.org/wiki/IPv6_transition_mechanism#Dual-
Stack_Lite_\(DS-Lite\))

Probably 2/3 of the people I know in Berlin who use residential connections
have it.

------
belltaco
Can you tell us over what time frames do the IPs match in your stats?

~~~
curiousnycips
For this user, the first IP address we have on record (mid-November 2019)
matches this user plus two other users.

The latest matching IP address for this user was yesterday (July 6th, matching
this user and one other).

