Turns out what constitutes "claiming" an IP on the site is nothing like you’d expect. You don’t need to prove you control the IP. All it takes is embedding a transparent 1x1 tracking pixel on a website, and every IP that loads the page gets counted as “claimed” by you. In other words, it’s just a tally of visitors (or even ad impressions), not actual control of the IPs. So there’s really nothing meaningful here.
treve · 1h ago
It's still an interesting post, because if true I'd still be curious how you'd get 20 million people to load anything.
But the title here is totally misleading because it sure sounds like someone took control of 9% of the ipv4 address space but the actual post starts with context.
karel-3d · 54m ago
I would guess a WordPress plugin or something.
20 million is a lot, but if you look at geoip, they are around the whole world; I took 3 random latest IPs and I saw Vietnam, Brazil and Angola. So it's not that much when it's worldwide.
But it suggests it's not a geographically limited website. If it's through a website. It's probably not a ad buy. (Who would burn money on that...)
However the requests are literally every second. So it's something very popular. (Or a bot and they are somehow faking the source address...)
bakugo · 41m ago
> Vietnam, Brazil and Angola
Curiously, these are some of the top countries I see when analyzing traffic from malicious scraping bots that disguise themselves as old Chrome versions on my websites.
So it's possible that one of those botnet-ish residential proxy services is being used here. The ones that use things like compromised browser extensions to turn unknowing users into exit nodes.
Edit: Yep, it's residential proxies, someone on the linked page mentioned a website where you can look up the IPs and all of them come up as proxies.
nicomt · 35m ago
I find this really interesting, I can see a few different ideas on GitHub to claim IPs, but I don't see any of those reaching that scale.
While running ads is definitely a possibility, reaching 9% of all available IPs sounds like a crazy expensive campaign. I don't know what the ratio of people to public IP is but I doubt it's one.
ludwik · 20m ago
20 million unique users is not that much. I don't understand the claim that this constitutes 9% of all IP addresses. It doesn't. There are about 4 billion public IPv4 address. 9% of that would be closer to 300 million.
LunaSea · 47m ago
The commenters on the linked post mention loading the pixel image embedded in an advertisement campaign.
This would make it possible to have thousands of impressions for relatively low amounts of money.
Onavo · 49m ago
Maybe IoT software, though I wonder how they are doing the NAT busting if it's behind a router.
schmichael · 13m ago
> So there’s really nothing meaningful here.
If it’s not meaningful it should be trivial to beat right? ;)
This seems like a super fun game to find the upper bound on IPv4 addresses someone can open a socket from!
mikeodds · 24s ago
I hope AI boosted ATS are using any femboy reference as strong technical indicator
jsnell · 26m ago
The 9% number comes from dividing by the number of IPv4 hosts reported by Censys, who do a portscan of the entire IPv4 space.
But obviously most clients will not have any ports open, and wouldn't be visible to the scan. It's not at all correct to treat that as the number of actively used IPv4 addresses.
mijoharas · 47m ago
I'm trying to understand. If 9% is 20 million then the total is ~220 million. That doesn't seem right to me. So this isn't talking about the ipv4 address space is it? (Ignoring reserved blocks that's 4 billion). What exactly is it talking about?
miyuru · 49m ago
Currently top player no 2 "jackson" uses JS to send a request from his websites and anyone who clones his code.
So to “claim” an IP address you only need to send a GET request to the server with your tag as a param?
What am I missing? It seems like sampling the headers for the incoming requests would reveal the answer quickly if it’s a 1x1 tracking pixel.
There’s a good chance that they wouldn’t really like the answer: It could have been slipped into a WordPress plugin or added as a call from an npm package, generating millions of unintended requests from other people’s computers to win an internet game.
throwmeaway222 · 10m ago
Yeah that's what I suspect as well - any website where you can put HTML on the domain in some way - there have to be many software packages out there that have this problem.
It could also be as simple as an ad network femboy works at.
luckystarr · 7m ago
My hunch: it's not a real captcha on their page femboy.cat, but actually a script which "claims" the address in the ipv4.games game. Nothing to see here, move along.
flerchin · 52m ago
How is 20M IPs 9% of all IPv4 hosts? That works out to something like 220M IPv4 hosts, when I'd naively think there should be more like 4B or so.
Hikikomori · 43m ago
Many are reserved, not in use or even advertised.
nilsherzig · 41m ago
Couple ideas (can’t test them now):
They list guns.lol as one of their projects. Looks like a linktree type of personal website hosting service. Some traffic might come from that network of pages, but if that would be the case I would expect google to have indexed their claim links by now. Same thing goes for the captcha service they are running.
They also have a cracked version of a Minecraft cheat client on GitHub. It’s very common to use residential proxies while cheating (or cracking Minecraft accounts), so that might be another option (obviously not for all of the IPs). Someone should scan the IPs claimed by them for common proxy ports.
Might be a good idea to run their claims through a geoip db, even tho they are pretty spread out over different subnets, there still might be a correlation there (like mostly Spanish speaking countries or something like that).
Looks like the gameserver provides some more insights at /statusz, notably there a basically no „image claims“. So it would have to be iframes or script src requests (?).
Might also be fun to monitor your local network for requests to ipv4.games, I will set a notification with my firewall and report back :).
dilyevsky · 23m ago
https://ipv4.games/user.html?name=femboy.cat - looking at claimed networks they go in order. Some kind of spoofing attack either on TCP layer (less likely) or maybe server is consuming X-Real-IP or X-Forwarded-For without verification
As far as I'm aware, this is off by a magnitude, and I'm not sure where the number comes from because the linked website lists much fewer (but ratelimits to 1/30m for some reason?). The official list at https://check.torproject.org/torbulkexitlist lists just over 1k exits, so I really doubt these made much of a difference.
kortilla · 45m ago
Public exit nodes are a subset of exit nodes
mzajc · 42m ago
Could you explain? I thought all nodes except bridges were public.
zocco · 12m ago
An analysis of the source IP address networks might reveal more about the technique he's using. For example if they are all from one cloud provider, he could be rapidly allocating and deallocating IPv4 addresses from their pool, to attach to a VM to make the requests.
That said, probably it's multiple different techniques being used to make these requests, considering they are from such a huge number of different IP addresses. There's probably not one simple answer to this puzzle.
thrance · 11m ago
So, everyone just ignored that one guy that suggested simply... asking them by email?
nilsherzig · 7m ago
Seeing everyone trying to come up with an idea and participating is way more fun
progbits · 1h ago
Buying ads or embedding on some popular sites seems like best theory.
@jart: You could log referer header maybe, or user agent?
g-mork · 26m ago
One person was able to claim 9% of all HN clickthroughs
Thaxll · 28m ago
Would be interesting to log the referer.
No comments yet
TZubiri · 22m ago
If the shared proxy addresses hypothesis is correct, this would single handedly make for a great ip blacklist
On the new site I see that the post has a link at the bottom which claims to take you to non-JS version of the site and that gave me hope, but following it and clicking on the "list overview" button takes you to a page that doesn't work without JS, and clicking on the "all threads" page just gives you links to posts that also need JS.
But the title here is totally misleading because it sure sounds like someone took control of 9% of the ipv4 address space but the actual post starts with context.
20 million is a lot, but if you look at geoip, they are around the whole world; I took 3 random latest IPs and I saw Vietnam, Brazil and Angola. So it's not that much when it's worldwide.
But it suggests it's not a geographically limited website. If it's through a website. It's probably not a ad buy. (Who would burn money on that...)
However the requests are literally every second. So it's something very popular. (Or a bot and they are somehow faking the source address...)
Curiously, these are some of the top countries I see when analyzing traffic from malicious scraping bots that disguise themselves as old Chrome versions on my websites.
So it's possible that one of those botnet-ish residential proxy services is being used here. The ones that use things like compromised browser extensions to turn unknowing users into exit nodes.
Edit: Yep, it's residential proxies, someone on the linked page mentioned a website where you can look up the IPs and all of them come up as proxies.
https://github.com/search?q=ipv4.games%2Fclaim&type=code&p=1
While running ads is definitely a possibility, reaching 9% of all available IPs sounds like a crazy expensive campaign. I don't know what the ratio of people to public IP is but I doubt it's one.
This would make it possible to have thousands of impressions for relatively low amounts of money.
If it’s not meaningful it should be trivial to beat right? ;)
This seems like a super fun game to find the upper bound on IPv4 addresses someone can open a socket from!
But obviously most clients will not have any ports open, and wouldn't be visible to the scan. It's not at all correct to treat that as the number of actively used IPv4 addresses.
https://github.com/search?q=https%3A%2F%2Fipv4.games%2Fclaim...
NO 1 must be doing a similar thing.
Other attempts: https://github.com/search?q=ipv4.games%2Fclaim&type=code
What am I missing? It seems like sampling the headers for the incoming requests would reveal the answer quickly if it’s a 1x1 tracking pixel.
There’s a good chance that they wouldn’t really like the answer: It could have been slipped into a WordPress plugin or added as a call from an npm package, generating millions of unintended requests from other people’s computers to win an internet game.
It could also be as simple as an ad network femboy works at.
They list guns.lol as one of their projects. Looks like a linktree type of personal website hosting service. Some traffic might come from that network of pages, but if that would be the case I would expect google to have indexed their claim links by now. Same thing goes for the captcha service they are running.
They also have a cracked version of a Minecraft cheat client on GitHub. It’s very common to use residential proxies while cheating (or cracking Minecraft accounts), so that might be another option (obviously not for all of the IPs). Someone should scan the IPs claimed by them for common proxy ports.
Might be a good idea to run their claims through a geoip db, even tho they are pretty spread out over different subnets, there still might be a correlation there (like mostly Spanish speaking countries or something like that).
Looks like the gameserver provides some more insights at /statusz, notably there a basically no „image claims“. So it would have to be iframes or script src requests (?).
Might also be fun to monitor your local network for requests to ipv4.games, I will set a notification with my firewall and report back :).
As far as I'm aware, this is off by a magnitude, and I'm not sure where the number comes from because the linked website lists much fewer (but ratelimits to 1/30m for some reason?). The official list at https://check.torproject.org/torbulkexitlist lists just over 1k exits, so I really doubt these made much of a difference.
That said, probably it's multiple different techniques being used to make these requests, considering they are from such a huge number of different IP addresses. There's probably not one simple answer to this puzzle.
@jart: You could log referer header maybe, or user agent?
No comments yet
I've been using https://seclists.org/nanog/ since the switch and it's so much better.
On the new site I see that the post has a link at the bottom which claims to take you to non-JS version of the site and that gave me hope, but following it and clicking on the "list overview" button takes you to a page that doesn't work without JS, and clicking on the "all threads" page just gives you links to posts that also need JS.