*sigh* Short answer: OP did not put a game on the internet, they put a poorly coded CTF sandbox that does no input verification (doesn’t check referrers, doesn’t look at the http user-agent, doesn’t require login, doesn’t check cookies, doesn’t have a nonce in the form that’s checked) and invites people to gamify it, and even now seems not to understand the problem and why this is an issue. A few bored developers who understand HTTP and HTML forms way better than OP found it, and OP is inviting more people to do the same things rather than fixing his “game”. So this site is now like every old open PHPBB or gallery2 install, where people can pump url’s in for SEO spam, or even better, some good old fashioned XSS. The site automatically turns things that look like domain names into links. Shall we wait for a user to put the name of some crypto miner domain in there? Or embedded javascript? Or a malware site? Sans Internet Storm Center cited it as an open proxy search tool in 2024. https://isc.sans.edu/diary/31136 -Dan (opinions are my own)
On Aug 16, 2025, at 03:34, Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:
hey,
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US.
Well the AD impressions cost minute amounts of money and given the 12.9M requests it's probably not even that expensive. This can also be biggypacked to some real AD.
APNIC runs their IPv6 measurement using similar tricks and they get a lot more impressions. I don't think their cost numbers have been published anywhere but feel free to dig deeper.
-- tarko _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z2DZHRSZ...