Here’s something that still surprises people in the industry: an IP address can represent one person or 10,000 people at the same time. Most security and analytics systems still treat it like a unique identifier anyway.
That made sense fifteen years ago. It really doesn’t anymore.
Too Many People, Not Enough Addresses
CGNAT is the big culprit, and almost nobody outside networking circles talks about it. Carrier-grade NAT lets mobile operators like T-Mobile and Vodafone stick thousands of subscribers behind one public IP address. So when someone “from” 203.0.113.47 does something suspicious on your website, good luck figuring out which of the 4,000 people sharing that address actually did it.
The IPv4 address pool ran dry years ago. There are only about 4.3 billion addresses total, which sounds like a lot until you remember there are roughly 15 billion connected devices out there right now. The math just doesn’t work.
And VPNs made the whole situation messier. NordVPN has something like 14 million subscribers. Thousands of them might be using the same exit server in Atlanta at any given moment. From your server’s perspective, they’re all one “user.”
Connection Fingerprints Tell a Better Story
This is where things get interesting. Every device that connects to a website leaks technical details during the TCP handshake that most people never think about: window size values, TTL settings, maximum segment size, which TLS ciphers it supports and in what order. Put all of that together and you get a tcp ip fingerprint that’s genuinely distinctive, even when the IP address is shared with half a city.
Why does it work? Because Microsoft, Apple, and the Linux kernel team all made different choices about default network stack configurations. A connection from Safari on macOS has measurably different TCP parameters than Firefox on Fedora. These aren’t settings most users ever touch, which is exactly what makes them useful for identification.
Cloudflare has been doing this quietly in their bot management products for ages. It’s only now filtering down to mid-size companies that are realizing their IP-based fraud rules catch maybe 30% of what they should.
Where the Old Approach Falls Apart
Talk to anyone running an e-commerce fraud team and they’ll tell you the same thing: IP reputation is close to useless for sophisticated attacks. A fraudster buys a residential proxy exit in Houston, uses a stolen Visa card, and the transaction looks geographically perfect. Nothing in the IP data raises a flag.
But the TCP/IP fingerprint often does. The connection parameters don’t match a real consumer’s browser because the fraudster is routing through a proxy stack that leaves traces in the handshake. Research from the IEEE found that passive fingerprinting can peg an operating system with over 90% accuracy without sending a single probe packet.
Ad fraud is another mess. Click farms have gotten smart enough to rotate through residential IPs, so IP-based detection catches the lazy operators and misses everyone else. Behavioral and fingerprint signals are the only thing picking up the slack right now.
Privacy Concerns Are Real (and Complicated)
Obviously, better identification tech cuts both ways. The Electronic Frontier Foundation raised alarms about browser fingerprinting years ago, and TCP/IP fingerprinting operates at an even lower level. Users can’t install an extension to block it.
The GDPR already classifies device fingerprints as personal data, which means companies in Europe need a lawful basis to collect and process them. Using fingerprints for fraud detection? Probably fine under legitimate interest. Building ad targeting profiles with the same data? That’s a different conversation, and probably the wrong side of the regulation.
But pretending this technology doesn’t exist isn’t a strategy. Attackers already fingerprint their targets. Defenders who refuse to do the same are fighting with one hand behind their back.
The Direction This Is All Heading
IPv6 was supposed to fix the address shortage problem, and technically it does. Every device gets a unique address. Except IPv6 adoption is still sitting around 45% globally, and privacy extensions let devices randomize their addresses on purpose. The ARIN IPv4 depletion timeline lays out how we got into this mess, but the fix isn’t as clean as anyone hoped.
What’s actually working is layered identification. IP reputation as one signal. TCP/IP fingerprinting as another. Then behavioral stuff on top: mouse movement patterns, scroll speed, how someone fills out a form. No single layer is reliable by itself, but stacking three or four of them gets you surprisingly close to confident attribution.
Companies still relying on IP addresses as their primary identification method are going to keep hemorrhaging money to fraud and drowning in false positives. The tools to do better exist right now. The question is whether teams are willing to adopt them before the losses force the issue.
