> What if the request is always sent from the same location?
Then you may get the same IP.
> What if when the user moves location, e.g., from one country to another, she updates her stored IP addresses?
It doesn't have to be a different country. Different ISPs with different peering may get different results. Moving between your home wifi and you phone tethering may get different results. So depending on your usage style, it's between "change multiple times a day" and "no change".
> Personal experience as a user is that when it is an "intended" change, the previous IP address no longer hosts the content.
In some cases I'm sure it's true. In others, it isn't. Basically it's not a reliable indicator.
> If this was a BGP hijack, why did the hijackers target the IP addresses of DNS servers, rather than the target IP addresses of the websites?
Haven't seen the site's announced block, but it's possible that it's announced as /24 block. This attack was possible because Amazon announced /23 and the attacker could announce something more specific.
Then you may get the same IP.
> What if when the user moves location, e.g., from one country to another, she updates her stored IP addresses?
It doesn't have to be a different country. Different ISPs with different peering may get different results. Moving between your home wifi and you phone tethering may get different results. So depending on your usage style, it's between "change multiple times a day" and "no change".
> Personal experience as a user is that when it is an "intended" change, the previous IP address no longer hosts the content.
In some cases I'm sure it's true. In others, it isn't. Basically it's not a reliable indicator.
> If this was a BGP hijack, why did the hijackers target the IP addresses of DNS servers, rather than the target IP addresses of the websites?
Haven't seen the site's announced block, but it's possible that it's announced as /24 block. This attack was possible because Amazon announced /23 and the attacker could announce something more specific.