https://isc.sans.edu/diary/31136
You say this person is a developer, and it appears all it takes to claim an IP is to hit a link to a 1x1 pixel image from that IP. Is it possible this person has embedded their URL in software that’s used on many sites (i.e. a CMS or popular plugin for a CMS) or possibly has compromised some high traffic website(s) and quietly embedded their URL without disturbing anything else that would make the compromise apparent to the site owners? It’s been a while since I’ve had firsthand experience with this, but I know the latter used to happen with some frequency (website is hacked and the owners are oblivious), and I assume it still does. Sent from my iPhone > On Aug 16, 2025, at 5:36 AM, Justine Tunney via NANOG <[email protected]> > wrote: > > The server gets the IP address from the accept4() system call. It ignores > HTTP headers (e.g. x-forwarded-for) when determining the IP. > > It's possible to claim IPs by embedding <img > src="//ipv4.games/claim?name=jart"> on a web page. My web server will > notice the Accept header wants an image and will serve a 1x1 transparent > gif rather than an html response. That's how I play the game: > https://justine.lol/ > > The whales normally don't do this. They usually have something like a Go or > Python script which sends bare minimal HTTP requests. > >> On Sat, Aug 16, 2025 at 2:21 AM Saku Ytti <[email protected]> wrote: >> >> Couldn't they just ensure that some popular pages that people visit >> have a link to the claim? >> >> You're not telling much how the ipv4.games works or what the requests >> are like which makes it quite hard to speculate. >> >> >> In the headers, do you see various user agents being used, and various >> formatting and permutations of options? >> >> >>> On Sat, 16 Aug 2025 at 09:15, Justine Tunney via NANOG >>> <[email protected]> wrote: >>> >>> I operate an online service at https://ipv4.games/ that invites people >> to >>> send http requests to my web server from a lot of different IP addresses. >>> In order to claim an IP, you need to successfully make a tcp three-way >>> handshake with a VM on Google's network. >>> >>> Somehow a player in Europe named femboy.cat has successfully managed to >>> claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys. >>> >>> Does anyone have any idea how they're doing it? >>> >>> Would anyone here be willing to be their North American rival? >>> _______________________________________________ >>> NANOG mailing list >>> >> https://lists.nanog.org/archives/list/[email protected]/message/MMCCEQKA4UPGGWFWEBWLYKHTYCAOQIZS/ >> >> >> >> -- >> ++ytti >> > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/PN6RSJUQ2QM6ZHGAZWSVCCEOFTK3UW7N/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/O5KFWOO7LQMKNWUVZQOUUSZPR22AIHRY/
