Well, for one, they could fingerprint your browser: https://panopticlick.eff.org/

Yes and no. In my tests with live traffic (fingerprint,ip) tuple was as good as standard tracking cookie. Sometimes even better because I could match "incognito" modes as well. This was however only for desktop browsers. Mobile has much higher conformity and yielded mostly false positives.

YMMV of course but for my purposes it was not worth it.

I imagine ipv6 would drastically reduce the chance of false positives for collisions.

Yes and No. The client could hop over a bunch of ip6-addresses, since there would be an abundance of them.

Used to work in paywalls (think New Yorker), we used both Supercookies and Fingerprinting.

Most good paywalls that support metering will now use some kind of fingerprinting at a minimum.

Follow the link if you haven't already. You'd be surprised how unique the "standard configuration" is. For example, my desktop PC with a fresh install of Firefox is unique among the data that site has collected.

by IP address may be good enough per session and each session could be tied to per more persistent IDs in cooperation with the sites embedding the ads, e.g. via the javascript loading some parts of the ads. So even if you block cookies to the ad network's domain they could still store cookies on any site that embeds their JS directly.