@jart: You could log referer header maybe, or user agent?
femboy.cat is sending HTTP requests from nearly every corner of the Earth.
I've been using https://seclists.org/nanog/ since the switch and it's so much better.
On the new site I see that the post has a link at the bottom which claims to take you to non-JS version of the site and that gave me hope, but following it and clicking on the "list overview" button takes you to a page that doesn't work without JS, and clicking on the "all threads" page just gives you links to posts that also need JS.
As far as I'm aware, this is off by a magnitude, and I'm not sure where the number comes from because the linked website lists much fewer (but ratelimits to 1/30m for some reason?). The official list at https://check.torproject.org/torbulkexitlist lists just over 1k exits, so I really doubt these made much of a difference.
https://github.com/search?q=https%3A%2F%2Fipv4.games%2Fclaim...
NO 1 must be doing a similar thing.
Other attempts: https://github.com/search?q=ipv4.games%2Fclaim&type=code
What am I missing? It seems like sampling the headers for the incoming requests would reveal the answer quickly if it’s a 1x1 tracking pixel.
There’s a good chance that they wouldn’t really like the answer: It could have been slipped into a WordPress plugin or added as a call from an npm package, generating millions of unintended requests from other people’s computers to win an internet game.
It could also be as simple as an ad network femboy works at.
They list guns.lol as one of their projects. Looks like a linktree type of personal website hosting service. Some traffic might come from that network of pages, but if that would be the case I would expect google to have indexed their claim links by now. Same thing goes for the captcha service they are running.
They also have a cracked version of a Minecraft cheat client on GitHub. It’s very common to use residential proxies while cheating (or cracking Minecraft accounts), so that might be another option (obviously not for all of the IPs). Someone should scan the IPs claimed by them for common proxy ports.
Might be a good idea to run their claims through a geoip db, even tho they are pretty spread out over different subnets, there still might be a correlation there (like mostly Spanish speaking countries or something like that).
Looks like the gameserver provides some more insights at /statusz, notably there a basically no „image claims“. So it would have to be iframes or script src requests (?).
Might also be fun to monitor your local network for requests to ipv4.games, I will set a notification with my firewall and report back :).
But obviously most clients will not have any ports open, and wouldn't be visible to the scan. It's not at all correct to treat that as the number of actively used IPv4 addresses.
That said, probably it's multiple different techniques being used to make these requests, considering they are from such a huge number of different IP addresses. There's probably not one simple answer to this puzzle.
They’re avoiding the easy answers because they want people talking about it and I think they’re afraid of the real answer. Contests like this attract a lot of bad behavior.
<img src="https:////ipv4.games/claim?name=femboy.cat" hidden>
* https://isc.sans.edu/diary/31136
However, at least one person thinks that it is a bug in the X-Forwarded-For handling code,
* https://biggo.com/news/202508070812_IPv4_Games_Header_Exploi...
which, contrary to the headlined NANOG mailing list thread, is being parsed, as we can see:
* https://github.com/jart/cosmopolitan/blob/master/net/turfwar...
* https://justine.lol/threads/
I think that the person who thinks that X-Forwarded-For: cannot be manipulated here needs to be put in the same room with the person who thinks that there's an endless variety of ways in which "desync" attacks can forge such headers when one uses HTTP/1.1.
curl -H 'X-Forwarded-For: 6.0.0.1' http://ipv4.games/claim/lool
you could also do like a resources lookup maybe in some games if you host the server (resources then being looked up on the client). games are full of weird design choices for performance, some can be abused. .another avenue is ads linking to different resources via scripts, maybe some smaller players still allows it.
also there are (gray are) businesses who offer residential proxies for things like scraping (sales lead generation companies oftenuse such services for example). so you could likely pay your way to millions of ips, relatively cheap if ud do only 1 request over each
ludwik•5mo ago
treve•5mo ago
But the title here is totally misleading because it sure sounds like someone took control of 9% of the ipv4 address space but the actual post starts with context.
karel-3d•5mo ago
20 million is a lot, but if you look at geoip, they are around the whole world; I took 3 random latest IPs and I saw Vietnam, Brazil and Angola. So it's not that much when it's worldwide.
But it suggests it's not a geographically limited website. If it's through a website. It's probably not a ad buy. (Who would burn money on that...)
However the requests are literally every second. So it's something very popular. (Or a bot and they are somehow faking the source address...)
bakugo•5mo ago
Curiously, these are some of the top countries I see when analyzing traffic from malicious scraping bots that disguise themselves as old Chrome versions on my websites.
So it's possible that one of those botnet-ish residential proxy services is being used here. The ones that use things like compromised browser extensions to turn unknowing users into exit nodes.
Edit: Yep, it's residential proxies, someone on the linked page mentioned a website where you can look up the IPs and all of them come up as proxies.
Onavo•5mo ago
LunaSea•5mo ago
This would make it possible to have thousands of impressions for relatively low amounts of money.
nicomt•5mo ago
https://github.com/search?q=ipv4.games%2Fclaim&type=code&p=1
While running ads is definitely a possibility, reaching 9% of all available IPs sounds like a crazy expensive campaign. I don't know what the ratio of people to public IP is but I doubt it's one.
ludwik•5mo ago
nicomt•5mo ago
https://www.guptamedia.com/social-media-ads-cost
cj•5mo ago
reactordev•5mo ago
The number of times my browser has been hijacked from their ad network is numerous.
Odds are, the culprit owns some IP that is running on 20M devices. Whether it's a mobile game. A bot net. An ad. Or some other script/service that allows other machines to make the request on his/her behalf.
chmod775•5mo ago
schmichael•5mo ago
If it’s not meaningful it should be trivial to beat right? ;)
This seems like a super fun game to find the upper bound on IPv4 addresses someone can open a socket from!
Retr0id•5mo ago
motbus3•5mo ago
For this test to be valid it would need to do much more than just that I think