: What is the range of IPs that someone with a dynamic IP address can be assigned? I am working on a security policy and I'm wondering about users who have a dynamic IP address. If their IP

@Ogunnowo487

In addition to @closetnoc and @PlanetScaleNetworks answers, I can give you a specific example...

I have a home broadband connection (dynamic IP) with one of the largest ISPs in the UK. Over the last 5½ years:


Router powered 24/7. Only reset occasionally to resolve network issues.
IP address has changed 209 times, with 208 unique IP addresses. (Most changes occur whilst the router remains powered and without any noticeable disruption to service.)
The same IP address has been received only once, and that was 6 months and 17 IP addresses apart.
4 very different IP ranges, with possibly some subranges in there as well. I can count 10 IP ranges if I smooth out the gaps. However, there are obviously gaps in the IPs I have received so these "subranges" might not be particularly accurate.
Maximum length of time on the same IP: 2 months, 27 days. (During 2011-2013 I held on to several IPs for about 3 months. However, since mid-2013 to late-2016, the maximum time has reduced to approx 1 month.)
Shortest length of time: 2 minutes. (These short times are often at times of network problems where the router is reset several times in a short period of time. This doesn't reflect normal usage.)
(Simple) Average length of time: 9 days. (The short times due to network errors, mentioned above, possibly bring down this average. However, even ignoring the 35 records that are below 1 hour only brings the average up to 11 days.)
Resetting the router will often assign a new IP address, although not always.



How likely is it a user will have one IP address (A), then change to another IP (B), then be given the same IP (A) as before?


In my experience, this is very unlikely. But it could happen.

However, I have had dealings with another large UK provider of consumer broadband, and whilst still described as "dynamic", in practice they appear to be very "static". Not changed for "years"! So, it varies!

Vote Up Vote Down

@Jessie594

@closetnoc 's explanation of IP blocks is very thorough but as a simplification especially targeted to your question...

At a basic level ISP's will own one or more address blocks which they have been assigned from the appropriate Network Information Center for the geographic region being covered. With dynamically assigned IP's (which are more often than not assigned to consumer and small business connections) a large section of the address block will be configured into a DHCP server and when your connection is established (router switched on) a new IP is assigned from the available pool. These IP's also have what is called a lease time which is how the router can use the one IP address before it needs to request an updated one. Depending on the way the ISP's assigns the addresses will dictate whether they will receive the same address again in the future but the chances are slim.

To use Australia (where I live) as an example one of our smaller companies which can still be classed as a national ISP has a single assigned block (which was received directly from APNIC with a total number of available IP's in the range of 200'000+. Now these IP's are shared both through static IP subscriptions and dynamic subscriptions which means that the total available for dynamic use, even with a 50/50 split (which is not the case here) would still result in over 100'000 IP's being available to dynamic connections.

Furthermore even some statically assigned IP's are in fact NAT'ed to allow a large number of consumers (mainly used here in Australia for mobile devices) to access the internet without depleting the available address pool.

You mention that this is for the purposes of rolling your own security filters but IP's are notoriously difficult to filter as they can and are frequently reassigned anywhere from every few days to every few weeks. Furthermore even static addresses can and do change where address blocks need to be reassigned for whatever reason however those changes are less frequent as they involve the ISP's needing to work with the customers to work out the correct day and time for the change over. If you are trying to secure your network you would be better suited to using behavioural analysis and restricting based on that rather than IP's. The only times that IP based restrictions really work is where you are attempting to block access from an entire country as you can attempt to block the address ranges used by that country but regardless of how many IP blocks you implement anyone if they want to still get it would be able to use VPN connections to bypass your filters.

Vote Up Vote Down

@Jamie184

I have written this answer as simply as I know how. I have left out some details, of course, and generalized the answer for a clearer answer.

Every entity that requires IP addresses is allocated a range of IP addresses generally one of two ways. One, are larger entities that are allocated large blocks of IP addresses. Second, are smaller entities that are allocated IP addresses from the larger blocks of the larger entities as customers. This can be be several levels deep. For example, CenturyLink IP addresses are allocated from Quest. Quest is allocated from Level 3 Communications which is a Tier 1 provider. If you operate a web hosting operation with a link to the Internet provided by CenturyLink, then CenturyLink allocates a block of IP addresses to your operation.

Backing up a bit, Internet Assigned Numbers Authority (IANA) is responsible for all IP address allocations through one of the five regional Internet registry (RIR):


African Network Information Center (AFRINIC) for Africa
American Registry for Internet Numbers (ARIN) for the United
States, Canada, several parts of the Caribbean region, and
Antarctica.
Asia-Pacific Network Information Centre (APNIC) for Asia,
Australia, New Zealand, and neighboring countries
Latin America and Caribbean Network Information Centre (LACNIC)
for Latin America and parts of the Caribbean region
Réseaux IP Européens Network Coordination Centre (RIPE NCC) for
Europe, Russia, the Middle East, and Central Asia


Because Level 3 Communications is a large Tier 1 provider, it operates an Internet backbone network and gets it's IP address allocation from American Registry for Internet Numbers (ARIN). Quest is a commercial and subscriber telecommunications provider, so is CenturyLink as a subsidiarity of Quest. This means that Quest gets it's allocation from Level 3, and CenturyLink from Quest.

All IP addresses are either static or dynamic. This is determined by the company that holds the allocation. For example, web hosting companies use static IP addresses as this is generally required for the web. However, those with DSL lines (known as subscriber lines) from their telecommunications company (phone) will more likely have dynamic IP addresses. There is no one block of IP addresses for static or dynamic. Each block provided as subscriber blocks are generally huge while for large scale services companies such as the web hosting provider RackSpace is also huge. As well, companies that range from IBM, HP, Google, etc., can also have huge blocks of IP addresses.

In short, there is no simple way of determining static IP address blocks and dynamic IP address blocks. There are ways, but nothing we can describe here easily enough to help. It gets technical really fast.

As for dynamic IP addresses, these are issued using a lease method known as DHCP. With DHCP, a computer or router, for example, would request an IP address. This IP address once assigned is said to be leased. A lease through DHCP depends upon the parameters the DHCP system was set up with. Leases can be long or short. If a computer disconnects and reconnects, depending upon the lease period, it is highly likely that it will receive the same IP address as before. This is how things normally work. However, this is not a given. Some DHCP systems will issue a new IP from the pool with every connection. This is often the first IP address within the pool that is available which can be the same IP address or not depending upon the allocation activity.

So it gets complicated as you can see. I will not get into the weeds here. This should give you a good idea of how things work.

Vote Up Vote Down