I'm happy to consider any proposal that'll make the game more fun. Please note I like the fact that the rules are simple to understand. There's also no such thing as a cheap move. So far, we've only disallowed tricks when they prevent the game from being fun. For example, back when we used Cloudflare for DDOS protection, one player was smart enough to realize he could claim 240.0.0.0/4 (the IPv4 addresses reserved for future use) because cloudflare used those IPs to proxy IPv6 IIRC. We allowed it, in recognition for his cleverness. But when he found a way to spoof any IP through Cloudflare, I had to delete him from the database and implement my own better DDOS protection from scratch. I don't think your claims about SEO and XSS have merit. IPv4 Games allows users to pick usernames that look like URLs, but if you click on them, they don't actually go to the user's website. You'd've understood this if you'd looked more closely. Advanced players also understand that bigger isn't always better and that not all subnets are created equal. So far I'm the only person who's managed to claim a /8 owned by the Department of Defense. I also control Apple's class A subnet. So one way we might reform the game is by introducing weightings. On Sat, Aug 16, 2025 at 2:30 PM Dan Mahoney via NANOG <nanog@lists.nanog.org> wrote:
*sigh*
Short answer: OP did not put a game on the internet, they put a poorly coded CTF sandbox that does no input verification (doesn’t check referrers, doesn’t look at the http user-agent, doesn’t require login, doesn’t check cookies, doesn’t have a nonce in the form that’s checked) and invites people to gamify it, and even now seems not to understand the problem and why this is an issue. A few bored developers who understand HTTP and HTML forms way better than OP found it, and OP is inviting more people to do the same things rather than fixing his “game”.
So this site is now like every old open PHPBB or gallery2 install, where people can pump url’s in for SEO spam, or even better, some good old fashioned XSS. The site automatically turns things that look like domain names into links. Shall we wait for a user to put the name of some crypto miner domain in there? Or embedded javascript? Or a malware site?
Sans Internet Storm Center cited it as an open proxy search tool in 2024. https://isc.sans.edu/diary/31136
-Dan (opinions are my own)
On Aug 16, 2025, at 03:34, Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:
hey,
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US.
Well the AD impressions cost minute amounts of money and given the 12.9M requests it's probably not even that expensive. This can also be biggypacked to some real AD.
APNIC runs their IPv6 measurement using similar tricks and they get a lot more impressions. I don't think their cost numbers have been published anywhere but feel free to dig deeper.
-- tarko _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z2DZHRSZ...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/6JTP3IO7...