Re: IPv4 Games

[nanog--- via NANOG]

I believe that exploiting the game is the intent of the game, not a bug. 
Can you explain why you think there's a problem? I believe this email 
thread is merely a matter of curiosity - nobody is asking how to fix a 
problem.

As for URL spam: the risk to payoff isn't there. Winning the game takes 
a serious effort that nobody would go through just to put some spam link 
on this website only.


On 16/08/25 23:29, Dan Mahoney via NANOG wrote:
*sigh*

Short answer: OP did not put a game on the internet, they put a poorly coded 
CTF sandbox that does no input verification (doesn’t check referrers, doesn’t 
look at the http user-agent, doesn’t require login, doesn’t check cookies, 
doesn’t have a nonce in the form that’s checked) and invites people to gamify 
it, and even now seems not to understand the problem and why this is an issue.  
A few bored developers who understand HTTP and HTML forms way better than OP 
found it, and OP is inviting more people to do the same things rather than 
fixing his “game”.

So this site is now like every old open PHPBB or gallery2 install, where people 
can pump url’s in for SEO spam, or even better, some good old fashioned XSS.  
The site automatically turns things that look like domain names into links.  
Shall we wait for a user to put the name of some crypto miner domain in there?  
Or embedded javascript?  Or a malware site?

Sans Internet Storm Center cited it as an open proxy search tool in 2024.  
https://isc.sans.edu/diary/31136

-Dan
(opinions are my own)

On Aug 16, 2025, at 03:34, Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:

hey,

She's a European developer. So I doubt she's burning money out of pocket on 
cloud like we do in the US.
Well the AD impressions cost minute amounts of money and given the 12.9M 
requests it's probably not even that expensive. This can also be biggypacked to 
some real AD.

APNIC runs their IPv6 measurement using similar tricks and they get a lot more 
impressions. I don't think their cost numbers have been published anywhere but 
feel free to dig deeper.

--
tarko
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z2DZHRSZI5FCGSUUM6E2RKXVFR6SKVFN/
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/6JTP3IO7W56WVRYANCILWGAUELRGR4TO/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/66ZC34JLUIFJ7OJW2VV5UCLUXIU5V6MA/