How to uniquely identify users with the same external IP address?

How to uniquely identify users with the same external IP address? Is there any way to uniquely identify such users?

Yes, there are lots of ways:

• Cookies
• Evercookies (JavaScript code that uses lots of different techniques to store identifying information, among them flash cookies, the various HTML5 storage options, the browsers visited links history, etc)
• Device fingerprinting: use the HTTP header (mainly User Agent, but the other headers and their order can help as well)
• Device fingerprinting with JavaScript: with JavaScript, you can get a lot of information, such as screen resolution, timezone, plugins, system fonts, etc.
• Behavior: how fast do the users fill in forms, where on a button do they click, etc.

But most of these are not useful in defending against brute-force attacks, since the program doing them will probably not accept cookies or run JavaScript.

In your case, you might try:

• HTTP header: these might actually already be enough to differentiate between users using the same IP address (of course, an attacker can just randomly switch them, but I would assume most currently don't).
• Light throttling: you don't have to block IP addresses, you could just slow down the login process for them. That way, brute forcing becomes a lot less feasible, but real users using the same IP address can still login.
• CAPTCHAs: these will annoy legitimate users, but hopefully not too many users actually use an IP address from which brute-force attacks originate (of course, there are tools to automatically solve CAPTCHAs, but it's still harder than no CAPTCHA).
• You could require a user to accept cookies, and to send various identifying information before being allowed to login (such as the screen resolution, timezone, etc.). Of course, an attacker can do this as well, but I don't think any currently existing bruteforce tools can do this, so they would have to write a custom script. But this might also annoy legitimate users.

You can get users' internal IP address even from the Internet by using HTML5 & WebRTC. You can check out the article Local IP discovery with HTML5 WebRTC: Security and privacy risk? for more information and try it on http://net.ipcalf.com/.

The website that serves the article seems down now. However, I think this artice WebRTC Found Leaking Local IP Adresses can give some information too.

There isn't a non-spoofable method to my knowledge. If you already throttle the max amount of attempts to eight tries per minute with a one minute time-out. A one minute time out is generally not considered annoying as long as you give enough information to the user.

Make sure to actively review these occurences where there are suspected bruteforces from an IP address as it might be interesting to investigate who's trying to bruteforce you.