Question concerning IP addresses.

[Nepheris]

As the title says, I've got a question concering IP addresses.

We've got a case of suspected multiple-accounts/identity forging on my boards. Sadly I don't know enough about IP addresses to be absolutely certain of a case of multiple accounts.
What I want to know is in how much an IP address has to be similar to come from the same computer/network. I know IP addresses can change (right?), so how will I still know if it's the same place the activity is coming from?

What I've got is three suspected accounts (though two are more suspicious). All three start with the same two series of numbers. Only two start with the same series of three numbers (but the first account hasn't seen much activity lately.) The last numbers differ, however. I've noticed that at least the 2 first series of numbers stay the same, though I'm not sure about the last two.

Any help would be appreciated, and I hope I've been clear enough in my question.

[J. M. Pescado]

As the title says, I've got a question concering IP addresses.

We've got a case of suspected multiple-accounts/identity forging on my boards. Sadly I don't know enough about IP addresses to be absolutely certain of a case of multiple accounts.
What I want to know is in how much an IP address has to be similar to come from the same computer/network. I know IP addresses can change (right?), so how will I still know if it's the same place the activity is coming from?

Generally, if an IP addresses matches the first or second points, they MIGHT be the same person, but they could be different people on the same ISP. There is no conclusive way to tell just from the IP address. If the IP addresses are EXACTLY the same, AND the people involved DON'T come from a large number of IPs (dynamic IPs chosen at random from a pool), then they MIGHT again be the same person, or they could be sharing the same proxy, as is common with AOL. There is no singular magic bullet that identifies it, it's just something you learn to pick up on from experience. Consider how blatant the offense actually is before coming to some kind of judgement.

What I've got is three suspected accounts (though two are more suspicious). All three start with the same two series of numbers. Only two start with the same series of three numbers (but the first account hasn't seen much activity lately.) The last numbers differ, however. I've noticed that at least the 2 first series of numbers stay the same, though I'm not sure about the last two.

If the last numbers differ, then they are likely different people on the same ISP. Check to see how stable the IPs of the actual individuals are. If they have relatively stable IPs (no more than 1-3), then they are likely different people, or someone who has cleverly kept his IPs entirely seperate. If they have unstable IPs and fluctuate across a large block of IPs, then your results are inconclusive.

Naturally, if that block of IPs is an AOL block (do an nslookup to see it resolves to AOL) or similar large ISP, all bets are off, even if the IPs are identical.

[Nepheris]

It's not an AOL block, but as all users claim to come from the same country, a shared ISP would be likely.

Thanks a lot for the explanation, I guess I'll have to use different methods to get some sort of 'proof'.

[Marhis]

Every isp has some "rules" about their IP, the most important thing is to know how they manage their IP share among the users.
For example, I use two different ISPs: one of them (the actual I'm using, Fastweb in Italy) has all his users hidden behind a NAT; this means that every single user of Fastweb which lives in Bologna, Italy will have the same IP, that is the gateway's IP. The other ISP, Infostrada, gives me a dynamic public IP, but I noticed that it assigns me always the same, unless I don't login for a month or more. So, I have always 2 IP, fixed, although they are officially dynamic.

[dizzy]

Good rule of thumb here: if the two accounts are active at the same time with the same IP, it's probably a clone. Otherwise, it's probably not a clone.

[J. M. Pescado]

It often helps to resolve the IP in question to a DNS. If your resolved DNS contains strings like "dyn", "pool", "dial", then you're probably dealing with an individual user's dynamic IP. If you're seeing strings like "nat" or "proxy", you're dealing with a shitty ISP like AOL, which jams all its users on one IP and likely sells half-assed one-way Internet. Other things not fitting this rule are probably semisticky IPs, but there's no really clear way to tell. In most cases an identical IP indicates a high probability of the same user, except in the above rule.

[KatEnigma]

Do they always post with the same IPs? If so, then they are different people, definitely.  Some ISPs, like mine, give you a different IP every time you reset/disconnect the dsl/cable modem.  If they are doing that to get a different IP to use to post as someone else, there's no way they could get the same IP every time they wanted to post under the other account.

OTOH, if they are always posting with different IPs (and I mean always, or almost always, not every once in awhile) , then it's a possibility. Not proof, mind you, but a possibility, unless you know they are on dial up. Because I have to go out of my way to get a new IP, and I don't think even AOL just randomly changes your IP. Once you're logged into the system, you keep the IP until you do something, and if you have DSL or Cable, you're not logging out every time you turn off your computer and you don't sign out, normally.