Score:0

Why might an end-user IP address be different when accessing different but co-hosted websites?

in flag

I am trying to understand the following observation.

We have two domain names, domain1.example and domain2.example. At a DNS level, there's an A record to an anycast address. Both domains resolve to the same address.

When the same user makes an HTTPS Web request to domain1.example and domain2.example, the user's IP address (per access log) is not consistent across the two domains but is consistent for each domain. In most cases, other users have identical IP addresses in both logs.

From a pure networking point of view, the packets should be routed using the same entry in the routing table since they are going to the same IP address. It seems something higher-level in the OSI stack is domain-aware and able to alter the pathway.

What might be interfering here?

stark avatar
mu flag
HTTPS has the SNI extension so that multiple websites can be at the same IP. and each have its own certificate.
in flag
yes, that's not really the question though. The question is why is the end-user perceived as being from a different IP?
vn flag
Does the user's device have multiple IP addresses?
in flag
I actually don’t know the user. It is possible it’s dual homed but I can’t explain why the identical destination IP would be consistently preferred by the same user IP address
Score:2
us flag
Rob

Possibly your users are actively trying to hide their real IP addresses by using an anonymising service.

For corporate examples: larger companies and some ISP's use a cluster of proxy servers, each with a different external IP-address, with user requests getting load balanced over that cluster.

In both cases there may be some form of session persistence that ensures that requests for a specific destination will "always" have the same egress IP-address.

More frequently you'll see the opposite though: a single site visitor whose IP-address changes during the visit to your site, due to for example:

  • IPv6 privacy extensions RFC 4941
  • Dual Stack users making requests over both IPv4 and IPv6 and switching between the two protocols for subsequent requests RFC 8305
  • load balanced proxy servers and anonymising services using different IP's
  • users at the extreme range of a Wi-Fi access point and their device "randomly" switches between Wi-Fi and cellular data
  • etc. etc.
in flag
I think you are onto something. There’s no need to hide IP in our case. Both domains are owned by same company but one has a very well known name. I do wonder if a corporate proxy sends outbound web requests to well known domains (allow listed) down a separate path that has a unique egress IP versus other domains
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.