We help IT Professionals succeed at work.

DSL public IP static or DHCP?

I've got a website registration process which I need to protect from malicious users.  I want to limit registrants to 5 accounts per IP.  Now I'm aware that DSL typically uses DHCP to assign IP's to customers.  Does that thwart my ability to identify a particular user by IP?  Is a DSL provider's DHCP going to change a user's IP every few days?

I don't want some user being able to pre-register 50 accounts.  Do I have any option here.  I'm already preventing robot registrants by using captcha.
Comment
Watch Question

You can not use IP address in this case, a DSL connection as with most cable connections is going to use a dynamic IP address which can change every day possibly.

Without understanding exactly what you are doing, how about limit it by email address?
Usually DSL changes IP upon a reboot of the router. there's also a pre-determined time, and while all providers may do things differently I would assume the timer is around 1 or 2 weeks.

I guess it becomes an issue of how strongly they want those 50 accounts. Is someone going to be willing to reboot their router 10 times to get those 50 accounts? Would they even know that your mechanism tracks by IP?

You may also want to implement an email verification policy. That way you have another method to use. Of course the same principle can apply... they can just create 50 email accounts...

Using both methods in combination might help sway would be leechers. Just remember, if a company has 500 users and they all want to register with your service, using the IP method you limit that entire building to just 5 registrants.

Good luck Phil5780, I'm sure you'll figure out what'll work best.

Commented:
I can't speak to what other providers do, but my IP doesn't change even when I reboot my router, and my DSL is DHCP (I don't pay for a static IP).  So, based on that, I would surmise that the IP doesn't change very often, at least in my experience with it.  But since providers will vary in how they handle that, I would agree with the suggestions above that you also use some other method.  Of course, email addresses are easily gamed, as I personally have a dozen or so.  Still, you can deter users by making them provide both.  If they don't understand your setup, they aren't likely to try to game it.

Author

Commented:
Good point, email as the tracking entity is the best choice.  I wouldn't want a client with 1000 users and a single IP to be limited to 5 accounts.