I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network. Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys. Does anyone have any idea how they're doing it? Would anyone here be willing to be their North American rival?
Am 15.08.2025 um 23:11:00 Uhr schrieb Justine Tunney via NANOG:
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
TOR, proxy services, cloud services. The latter sometimes provide IP addresses as an hourly rentable service. Maybe also a botnet. -- Gruß Marco Send unsolicited bulk mail to 1755292260muell@cartoonies.org
There are currently 13'797 Tor exit nodes <https://www.dan.me.uk/tornodes>. So even if she somehow managed to hit each one, that would only account for 0.067% of her claims. I've been operating the IPv4 Games for three years, and I've never seen anything like it. All I know about her is that she's probably from Germany judging by the song on her homepage. America won the war. America invented the Internet. Now it looks like a new power is rising. What network operator in North America has the strength and willpower to challenge her dominance of the IPv4 address space? On Fri, Aug 15, 2025 at 11:21 PM Marco Moock via NANOG < nanog@lists.nanog.org> wrote:
Am 15.08.2025 um 23:11:00 Uhr schrieb Justine Tunney via NANOG:
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
TOR, proxy services, cloud services. The latter sometimes provide IP addresses as an hourly rentable service.
Maybe also a botnet.
-- Gruß Marco
Send unsolicited bulk mail to 1755292260muell@cartoonies.org _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ON7VEDSZ...
On Aug 15, 2025, at 23:11, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Strongly suggest you run a TCPDump on that VM -Dan
Couldn't they just ensure that some popular pages that people visit have a link to the claim? You're not telling much how the ipv4.games works or what the requests are like which makes it quite hard to speculate. In the headers, do you see various user agents being used, and various formatting and permutations of options? On Sat, 16 Aug 2025 at 09:15, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Would anyone here be willing to be their North American rival? _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MMCCEQKA...
-- ++ytti
The server gets the IP address from the accept4() system call. It ignores HTTP headers (e.g. x-forwarded-for) when determining the IP. It's possible to claim IPs by embedding <img src="//ipv4.games/claim?name=jart"> on a web page. My web server will notice the Accept header wants an image and will serve a 1x1 transparent gif rather than an html response. That's how I play the game: https://justine.lol/ The whales normally don't do this. They usually have something like a Go or Python script which sends bare minimal HTTP requests. On Sat, Aug 16, 2025 at 2:21 AM Saku Ytti <saku@ytti.fi> wrote:
Couldn't they just ensure that some popular pages that people visit have a link to the claim?
You're not telling much how the ipv4.games works or what the requests are like which makes it quite hard to speculate.
In the headers, do you see various user agents being used, and various formatting and permutations of options?
On Sat, 16 Aug 2025 at 09:15, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people
to
send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Would anyone here be willing to be their North American rival? _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MMCCEQKA...
-- ++ytti
Quickly becomes a game of who-has-biggest-wallet.
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US. On Sat, Aug 16, 2025 at 2:39 AM Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:
hey,
Does anyone have any idea how they're doing it?
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
-- tarko _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WA6VWXGE...
hey,
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US.
Well the AD impressions cost minute amounts of money and given the 12.9M requests it's probably not even that expensive. This can also be biggypacked to some real AD. APNIC runs their IPv6 measurement using similar tricks and they get a lot more impressions. I don't think their cost numbers have been published anywhere but feel free to dig deeper. -- tarko
Why don't we... ask? femboy.cat is an actual domain which advertises a contact email root@genderfluid.cat - it's very likely it's the same person. On 16/08/2025 11:34, Tarko Tikan via NANOG wrote:
hey,
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US.
Well the AD impressions cost minute amounts of money and given the 12.9M requests it's probably not even that expensive. This can also be biggypacked to some real AD.
APNIC runs their IPv6 measurement using similar tricks and they get a lot more impressions. I don't think their cost numbers have been published anywhere but feel free to dig deeper.
-- www: grg.pw email: me@grg.pw mobile: +44 7716 604314 / +39 393 1049073
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
Exactly this. Absolutely trivial to do, and easily done with $XXX free Adwords coupons that are simple to get. On Sat, Aug 16, 2025 at 5:39 AM Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:
hey,
Does anyone have any idea how they're doing it?
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
-- tarko _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WA6VWXGE...
That's a great idea Tom. It's well-suited as a group activity, since multiple people here can sign up for free ad credits, and then all deploy the URL https://ipv4.games/claim?name=nanog or https://ipv4.games/claim/nanog so this group receives credit on the IPv4 Games site. Although you'd have to give an ELI5 explanation on what to do, for those of us who aren't familiar with advertising. On Sat, Aug 16, 2025 at 5:24 AM Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
Exactly this.
Absolutely trivial to do, and easily done with $XXX free Adwords coupons that are simple to get.
On Sat, Aug 16, 2025 at 5:39 AM Tarko Tikan via NANOG < nanog@lists.nanog.org> wrote:
hey,
Does anyone have any idea how they're doing it?
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
-- tarko _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WA6VWXGE...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/RTWHWU7T...
I'm not suggesting that this community participate or anything. I'm just explaining how this person likely accessed your web server with so many different IPs. 1. Open Google Ads account, use coupons for free credits, or fund with real money. 2. Create an ad that is just a single tracking pixel with a HTTP GET of the URL on your website that is used to claim IPs, tallied to give a specific user credit. 3. Start the ad campaign. Every time Google displays your ad to someone anywhere, *that machine* makes that HTTP GET in the background, so the specified user gets credit for it. Good luck with your game. On Sat, Aug 16, 2025 at 9:10 AM Justine Tunney <jtunney@gmail.com> wrote:
That's a great idea Tom. It's well-suited as a group activity, since multiple people here can sign up for free ad credits, and then all deploy the URL https://ipv4.games/claim?name=nanog or https://ipv4.games/claim/nanog so this group receives credit on the IPv4 Games site. Although you'd have to give an ELI5 explanation on what to do, for those of us who aren't familiar with advertising.
On Sat, Aug 16, 2025 at 5:24 AM Tom Beecher via NANOG < nanog@lists.nanog.org> wrote:
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
Exactly this.
Absolutely trivial to do, and easily done with $XXX free Adwords coupons that are simple to get.
On Sat, Aug 16, 2025 at 5:39 AM Tarko Tikan via NANOG < nanog@lists.nanog.org> wrote:
hey,
Does anyone have any idea how they're doing it?
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
-- tarko _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WA6VWXGE...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/RTWHWU7T...
On 8/16/25 09:10, Justine Tunney via NANOG wrote:
That's a great idea Tom. It's well-suited as a group activity, since multiple people here can sign up for free ad credits, and then all deploy the URLhttps://ipv4.games/claim?name=nanog or https://ipv4.games/claim/nanog so this group receives credit on the IPv4 Games site. Although you'd have to give an ELI5 explanation on what to do, for those of us who aren't familiar with advertising.
I'm not sure the NANOG community will play given the lack of IPv6 support. :-) -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net
https://isc.sans.edu/diary/31136 You say this person is a developer, and it appears all it takes to claim an IP is to hit a link to a 1x1 pixel image from that IP. Is it possible this person has embedded their URL in software that’s used on many sites (i.e. a CMS or popular plugin for a CMS) or possibly has compromised some high traffic website(s) and quietly embedded their URL without disturbing anything else that would make the compromise apparent to the site owners? It’s been a while since I’ve had firsthand experience with this, but I know the latter used to happen with some frequency (website is hacked and the owners are oblivious), and I assume it still does. Sent from my iPhone
On Aug 16, 2025, at 5:36 AM, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
The server gets the IP address from the accept4() system call. It ignores HTTP headers (e.g. x-forwarded-for) when determining the IP.
It's possible to claim IPs by embedding <img src="//ipv4.games/claim?name=jart"> on a web page. My web server will notice the Accept header wants an image and will serve a 1x1 transparent gif rather than an html response. That's how I play the game: https://justine.lol/
The whales normally don't do this. They usually have something like a Go or Python script which sends bare minimal HTTP requests.
On Sat, Aug 16, 2025 at 2:21 AM Saku Ytti <saku@ytti.fi> wrote:
Couldn't they just ensure that some popular pages that people visit have a link to the claim?
You're not telling much how the ipv4.games works or what the requests are like which makes it quite hard to speculate.
In the headers, do you see various user agents being used, and various formatting and permutations of options?
On Sat, 16 Aug 2025 at 09:15, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Would anyone here be willing to be their North American rival? _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MMCCEQKA...
-- ++ytti
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PN6RSJUQ...
It still happens. And it used to be ubiquitous, so any old pages that get copied and republished is broadcasting its title pixel.
On Aug 16, 2025, at 9:04 AM, Jon Lewis via NANOG <nanog@lists.nanog.org> wrote:
https://isc.sans.edu/diary/31136
You say this person is a developer, and it appears all it takes to claim an IP is to hit a link to a 1x1 pixel image from that IP. Is it possible this person has embedded their URL in software that’s used on many sites (i.e. a CMS or popular plugin for a CMS) or possibly has compromised some high traffic website(s) and quietly embedded their URL without disturbing anything else that would make the compromise apparent to the site owners? It’s been a while since I’ve had firsthand experience with this, but I know the latter used to happen with some frequency (website is hacked and the owners are oblivious), and I assume it still does.
Sent from my iPhone
On Aug 16, 2025, at 5:36 AM, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
The server gets the IP address from the accept4() system call. It ignores HTTP headers (e.g. x-forwarded-for) when determining the IP.
It's possible to claim IPs by embedding <img src="//ipv4.games/claim?name=jart"> on a web page. My web server will notice the Accept header wants an image and will serve a 1x1 transparent gif rather than an html response. That's how I play the game: https://justine.lol/
The whales normally don't do this. They usually have something like a Go or Python script which sends bare minimal HTTP requests.
On Sat, Aug 16, 2025 at 2:21 AM Saku Ytti <saku@ytti.fi> wrote:
Couldn't they just ensure that some popular pages that people visit have a link to the claim?
You're not telling much how the ipv4.games works or what the requests are like which makes it quite hard to speculate.
In the headers, do you see various user agents being used, and various formatting and permutations of options?
On Sat, 16 Aug 2025 at 09:15, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Would anyone here be willing to be their North American rival? _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MMCCEQKA...
-- ++ytti
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PN6RSJUQ...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/O5KFWOO7...
Residential proxies. One can lookup the IP address on spur.us/context/<ip> and see they are a part of a number of proxy networks.
Do we know how long it took to claim 20 million IPs? Time span could be a clue. How much spam would one need to send, including the <img...> import, to generate that many hits? Especially with the current spam filters? I like the AD impression guess too. Or the very popular website... But again, knowing the timeline would help us figure this out. As a reference, how long would it take Google to generate hits from 20 million IPs with the <img...> inclusion on the main page?
Justine, I'd be more curious about user jackson. If you have time series data for when blocks were claimed by a particular user, it would be useful to share a link to them. I'd like to correlate when address claims were made from some of the more unusual blocks with BGP advertisement data to see if there were brief periods of BGP advertisements of less specific covering routes. As a side note, if you've signed up on various platforms as a non-profit entity, you get some amount of free advertising dollars to spend, up to about $10,000/month in free advertising, so you could get pretty far without having to spend your own money in an effort like this. But that's only going to get you reach from IP space that has general-purpose eyeballs on it. The netblocks that don't generally contain eyeballs networks are the more interesting ones, because those you can't simply spend free advertising dollars to get coverage on. Those would be the ones where I'd start to suspect someone might be briefly originating a less specific route, doing a flurry of GET requests, then dropping the less specific route, to gain coverage hits from more unusual blocks of addresses. Thanks! Matt On Fri, Aug 15, 2025 at 11:14 PM Justine Tunney via NANOG < nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Would anyone here be willing to be their North American rival? _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MMCCEQKA...
I concur on the use of residential proxies. I have observed a couple of instances of machines contacting femboy.cat's URL, and in both cases 1) the User-Agent was Go-http-client/1.1, suggesting that the traffic did not originate from web browsing (e.g. web ads) 2) the machines where hosting at least one proxyware (Pawns.app, Grass.io, infatica-sdk.io...) Not conclusive, but that bolsters the resip hypothesis.
*sigh* Short answer: OP did not put a game on the internet, they put a poorly coded CTF sandbox that does no input verification (doesn’t check referrers, doesn’t look at the http user-agent, doesn’t require login, doesn’t check cookies, doesn’t have a nonce in the form that’s checked) and invites people to gamify it, and even now seems not to understand the problem and why this is an issue. A few bored developers who understand HTTP and HTML forms way better than OP found it, and OP is inviting more people to do the same things rather than fixing his “game”. So this site is now like every old open PHPBB or gallery2 install, where people can pump url’s in for SEO spam, or even better, some good old fashioned XSS. The site automatically turns things that look like domain names into links. Shall we wait for a user to put the name of some crypto miner domain in there? Or embedded javascript? Or a malware site? Sans Internet Storm Center cited it as an open proxy search tool in 2024. https://isc.sans.edu/diary/31136 -Dan (opinions are my own)
On Aug 16, 2025, at 03:34, Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:
hey,
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US.
Well the AD impressions cost minute amounts of money and given the 12.9M requests it's probably not even that expensive. This can also be biggypacked to some real AD.
APNIC runs their IPv6 measurement using similar tricks and they get a lot more impressions. I don't think their cost numbers have been published anywhere but feel free to dig deeper.
-- tarko _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z2DZHRSZ...
On Aug 16, 2025, at 14:29, Dan Mahoney <danm@prime.gushi.org> wrote:
*sigh*
Short answer: OP did not put a game on the internet, they put a poorly coded CTF sandbox that does no input verification (doesn’t check referrers, doesn’t look at the http user-agent, doesn’t require login, doesn’t check cookies, doesn’t have a nonce in the form that’s checked) and invites people to gamify it, and even now seems not to understand the problem and why this is an issue. A few bored developers who understand HTTP and HTML forms way better than OP found it, and OP is inviting more people to do the same things rather than fixing his “game”.
One important edit to this: I did not mean to misgender or mispronoun, I meant to use more neutral terms and missed the possesive at the end. If I did, I apologize. -Dan
Definitely residential proxies. Took me less than minute to hit 5k IPs and didn't even cost me a penny. #1 in the last day is 3million IPs, the real difficulty in beating that at this point is that most of that most of the IPs in the big pools have probably been claimed already.
I believe that exploiting the game is the intent of the game, not a bug. Can you explain why you think there's a problem? I believe this email thread is merely a matter of curiosity - nobody is asking how to fix a problem. As for URL spam: the risk to payoff isn't there. Winning the game takes a serious effort that nobody would go through just to put some spam link on this website only. On 16/08/25 23:29, Dan Mahoney via NANOG wrote:
*sigh*
Short answer: OP did not put a game on the internet, they put a poorly coded CTF sandbox that does no input verification (doesn’t check referrers, doesn’t look at the http user-agent, doesn’t require login, doesn’t check cookies, doesn’t have a nonce in the form that’s checked) and invites people to gamify it, and even now seems not to understand the problem and why this is an issue. A few bored developers who understand HTTP and HTML forms way better than OP found it, and OP is inviting more people to do the same things rather than fixing his “game”.
So this site is now like every old open PHPBB or gallery2 install, where people can pump url’s in for SEO spam, or even better, some good old fashioned XSS. The site automatically turns things that look like domain names into links. Shall we wait for a user to put the name of some crypto miner domain in there? Or embedded javascript? Or a malware site?
Sans Internet Storm Center cited it as an open proxy search tool in 2024. https://isc.sans.edu/diary/31136
-Dan (opinions are my own)
On Aug 16, 2025, at 03:34, Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:
hey,
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US. Well the AD impressions cost minute amounts of money and given the 12.9M requests it's probably not even that expensive. This can also be biggypacked to some real AD.
APNIC runs their IPv6 measurement using similar tricks and they get a lot more impressions. I don't think their cost numbers have been published anywhere but feel free to dig deeper.
-- tarko _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z2DZHRSZ...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/6JTP3IO7...
I'm happy to consider any proposal that'll make the game more fun. Please note I like the fact that the rules are simple to understand. There's also no such thing as a cheap move. So far, we've only disallowed tricks when they prevent the game from being fun. For example, back when we used Cloudflare for DDOS protection, one player was smart enough to realize he could claim 240.0.0.0/4 (the IPv4 addresses reserved for future use) because cloudflare used those IPs to proxy IPv6 IIRC. We allowed it, in recognition for his cleverness. But when he found a way to spoof any IP through Cloudflare, I had to delete him from the database and implement my own better DDOS protection from scratch. I don't think your claims about SEO and XSS have merit. IPv4 Games allows users to pick usernames that look like URLs, but if you click on them, they don't actually go to the user's website. You'd've understood this if you'd looked more closely. Advanced players also understand that bigger isn't always better and that not all subnets are created equal. So far I'm the only person who's managed to claim a /8 owned by the Department of Defense. I also control Apple's class A subnet. So one way we might reform the game is by introducing weightings. On Sat, Aug 16, 2025 at 2:30 PM Dan Mahoney via NANOG <nanog@lists.nanog.org> wrote:
*sigh*
Short answer: OP did not put a game on the internet, they put a poorly coded CTF sandbox that does no input verification (doesn’t check referrers, doesn’t look at the http user-agent, doesn’t require login, doesn’t check cookies, doesn’t have a nonce in the form that’s checked) and invites people to gamify it, and even now seems not to understand the problem and why this is an issue. A few bored developers who understand HTTP and HTML forms way better than OP found it, and OP is inviting more people to do the same things rather than fixing his “game”.
So this site is now like every old open PHPBB or gallery2 install, where people can pump url’s in for SEO spam, or even better, some good old fashioned XSS. The site automatically turns things that look like domain names into links. Shall we wait for a user to put the name of some crypto miner domain in there? Or embedded javascript? Or a malware site?
Sans Internet Storm Center cited it as an open proxy search tool in 2024. https://isc.sans.edu/diary/31136
-Dan (opinions are my own)
On Aug 16, 2025, at 03:34, Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:
hey,
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US.
Well the AD impressions cost minute amounts of money and given the 12.9M requests it's probably not even that expensive. This can also be biggypacked to some real AD.
APNIC runs their IPv6 measurement using similar tricks and they get a lot more impressions. I don't think their cost numbers have been published anywhere but feel free to dig deeper.
-- tarko _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z2DZHRSZ...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/6JTP3IO7...
No apology is needed. I checked and femboy cat is happy with any pronouns. The OP is happy with feminine or neutral pronouns. On Sat, Aug 16, 2025 at 2:32 PM Dan Mahoney via NANOG <nanog@lists.nanog.org> wrote:
On Aug 16, 2025, at 14:29, Dan Mahoney <danm@prime.gushi.org> wrote:
*sigh*
Short answer: OP did not put a game on the internet, they put a poorly coded CTF sandbox that does no input verification (doesn’t check referrers, doesn’t look at the http user-agent, doesn’t require login, doesn’t check cookies, doesn’t have a nonce in the form that’s checked) and invites people to gamify it, and even now seems not to understand the problem and why this is an issue. A few bored developers who understand HTTP and HTML forms way better than OP found it, and OP is inviting more people to do the same things rather than fixing his “game”.
One important edit to this: I did not mean to misgender or mispronoun, I meant to use more neutral terms and missed the possesive at the end. If I did, I apologize.
-Dan _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/B532GJYR...
participants (18)
-
Alex -
Bryan Fields -
charlesg@unixrealm.com -
Dan Mahoney -
Giorgio Bonfiglio -
gregclermont@gmail.com -
joe hess -
joe@dye.dev -
Jon Lewis -
Justine Tunney -
Marco Moock -
Matthew Petach -
nanog.awjac@notrack.8shield.net -
nanog@immibis.com -
plate.email@proton.me -
Saku Ytti -
Tarko Tikan -
Tom Beecher