I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network. Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys. Does anyone have any idea how they're doing it? Would anyone here be willing to be their North American rival?
Am 15.08.2025 um 23:11:00 Uhr schrieb Justine Tunney via NANOG:
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
TOR, proxy services, cloud services. The latter sometimes provide IP addresses as an hourly rentable service. Maybe also a botnet. -- Gruß Marco Send unsolicited bulk mail to 1755292260muell@cartoonies.org
There are currently 13'797 Tor exit nodes <https://www.dan.me.uk/tornodes>. So even if she somehow managed to hit each one, that would only account for 0.067% of her claims. I've been operating the IPv4 Games for three years, and I've never seen anything like it. All I know about her is that she's probably from Germany judging by the song on her homepage. America won the war. America invented the Internet. Now it looks like a new power is rising. What network operator in North America has the strength and willpower to challenge her dominance of the IPv4 address space? On Fri, Aug 15, 2025 at 11:21 PM Marco Moock via NANOG < nanog@lists.nanog.org> wrote:
Am 15.08.2025 um 23:11:00 Uhr schrieb Justine Tunney via NANOG:
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
TOR, proxy services, cloud services. The latter sometimes provide IP addresses as an hourly rentable service.
Maybe also a botnet.
-- Gruß Marco
Send unsolicited bulk mail to 1755292260muell@cartoonies.org _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ON7VEDSZ...
On Aug 15, 2025, at 23:11, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Strongly suggest you run a TCPDump on that VM -Dan
Couldn't they just ensure that some popular pages that people visit have a link to the claim? You're not telling much how the ipv4.games works or what the requests are like which makes it quite hard to speculate. In the headers, do you see various user agents being used, and various formatting and permutations of options? On Sat, 16 Aug 2025 at 09:15, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Would anyone here be willing to be their North American rival? _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MMCCEQKA...
-- ++ytti
The server gets the IP address from the accept4() system call. It ignores HTTP headers (e.g. x-forwarded-for) when determining the IP. It's possible to claim IPs by embedding <img src="//ipv4.games/claim?name=jart"> on a web page. My web server will notice the Accept header wants an image and will serve a 1x1 transparent gif rather than an html response. That's how I play the game: https://justine.lol/ The whales normally don't do this. They usually have something like a Go or Python script which sends bare minimal HTTP requests. On Sat, Aug 16, 2025 at 2:21 AM Saku Ytti <saku@ytti.fi> wrote:
Couldn't they just ensure that some popular pages that people visit have a link to the claim?
You're not telling much how the ipv4.games works or what the requests are like which makes it quite hard to speculate.
In the headers, do you see various user agents being used, and various formatting and permutations of options?
On Sat, 16 Aug 2025 at 09:15, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people
to
send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Would anyone here be willing to be their North American rival? _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MMCCEQKA...
-- ++ytti
Quickly becomes a game of who-has-biggest-wallet.
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US. On Sat, Aug 16, 2025 at 2:39 AM Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:
hey,
Does anyone have any idea how they're doing it?
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
-- tarko _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WA6VWXGE...
hey,
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US.
Well the AD impressions cost minute amounts of money and given the 12.9M requests it's probably not even that expensive. This can also be biggypacked to some real AD. APNIC runs their IPv6 measurement using similar tricks and they get a lot more impressions. I don't think their cost numbers have been published anywhere but feel free to dig deeper. -- tarko
Why don't we... ask? femboy.cat is an actual domain which advertises a contact email root@genderfluid.cat - it's very likely it's the same person. On 16/08/2025 11:34, Tarko Tikan via NANOG wrote:
hey,
She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US.
Well the AD impressions cost minute amounts of money and given the 12.9M requests it's probably not even that expensive. This can also be biggypacked to some real AD.
APNIC runs their IPv6 measurement using similar tricks and they get a lot more impressions. I don't think their cost numbers have been published anywhere but feel free to dig deeper.
-- www: grg.pw email: me@grg.pw mobile: +44 7716 604314 / +39 393 1049073
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
Exactly this. Absolutely trivial to do, and easily done with $XXX free Adwords coupons that are simple to get. On Sat, Aug 16, 2025 at 5:39 AM Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:
hey,
Does anyone have any idea how they're doing it?
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
-- tarko _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WA6VWXGE...
That's a great idea Tom. It's well-suited as a group activity, since multiple people here can sign up for free ad credits, and then all deploy the URL https://ipv4.games/claim?name=nanog or https://ipv4.games/claim/nanog so this group receives credit on the IPv4 Games site. Although you'd have to give an ELI5 explanation on what to do, for those of us who aren't familiar with advertising. On Sat, Aug 16, 2025 at 5:24 AM Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
Exactly this.
Absolutely trivial to do, and easily done with $XXX free Adwords coupons that are simple to get.
On Sat, Aug 16, 2025 at 5:39 AM Tarko Tikan via NANOG < nanog@lists.nanog.org> wrote:
hey,
Does anyone have any idea how they're doing it?
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
-- tarko _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WA6VWXGE...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/RTWHWU7T...
I'm not suggesting that this community participate or anything. I'm just explaining how this person likely accessed your web server with so many different IPs. 1. Open Google Ads account, use coupons for free credits, or fund with real money. 2. Create an ad that is just a single tracking pixel with a HTTP GET of the URL on your website that is used to claim IPs, tallied to give a specific user credit. 3. Start the ad campaign. Every time Google displays your ad to someone anywhere, *that machine* makes that HTTP GET in the background, so the specified user gets credit for it. Good luck with your game. On Sat, Aug 16, 2025 at 9:10 AM Justine Tunney <jtunney@gmail.com> wrote:
That's a great idea Tom. It's well-suited as a group activity, since multiple people here can sign up for free ad credits, and then all deploy the URL https://ipv4.games/claim?name=nanog or https://ipv4.games/claim/nanog so this group receives credit on the IPv4 Games site. Although you'd have to give an ELI5 explanation on what to do, for those of us who aren't familiar with advertising.
On Sat, Aug 16, 2025 at 5:24 AM Tom Beecher via NANOG < nanog@lists.nanog.org> wrote:
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
Exactly this.
Absolutely trivial to do, and easily done with $XXX free Adwords coupons that are simple to get.
On Sat, Aug 16, 2025 at 5:39 AM Tarko Tikan via NANOG < nanog@lists.nanog.org> wrote:
hey,
Does anyone have any idea how they're doing it?
Buy web/app ads and embed your GET request as tracking pixel inside. Quickly becomes a game of who-has-biggest-wallet.
-- tarko _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WA6VWXGE...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/RTWHWU7T...
On 8/16/25 09:10, Justine Tunney via NANOG wrote:
That's a great idea Tom. It's well-suited as a group activity, since multiple people here can sign up for free ad credits, and then all deploy the URLhttps://ipv4.games/claim?name=nanog or https://ipv4.games/claim/nanog so this group receives credit on the IPv4 Games site. Although you'd have to give an ELI5 explanation on what to do, for those of us who aren't familiar with advertising.
I'm not sure the NANOG community will play given the lack of IPv6 support. :-) -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net
https://isc.sans.edu/diary/31136 You say this person is a developer, and it appears all it takes to claim an IP is to hit a link to a 1x1 pixel image from that IP. Is it possible this person has embedded their URL in software that’s used on many sites (i.e. a CMS or popular plugin for a CMS) or possibly has compromised some high traffic website(s) and quietly embedded their URL without disturbing anything else that would make the compromise apparent to the site owners? It’s been a while since I’ve had firsthand experience with this, but I know the latter used to happen with some frequency (website is hacked and the owners are oblivious), and I assume it still does. Sent from my iPhone
On Aug 16, 2025, at 5:36 AM, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
The server gets the IP address from the accept4() system call. It ignores HTTP headers (e.g. x-forwarded-for) when determining the IP.
It's possible to claim IPs by embedding <img src="//ipv4.games/claim?name=jart"> on a web page. My web server will notice the Accept header wants an image and will serve a 1x1 transparent gif rather than an html response. That's how I play the game: https://justine.lol/
The whales normally don't do this. They usually have something like a Go or Python script which sends bare minimal HTTP requests.
On Sat, Aug 16, 2025 at 2:21 AM Saku Ytti <saku@ytti.fi> wrote:
Couldn't they just ensure that some popular pages that people visit have a link to the claim?
You're not telling much how the ipv4.games works or what the requests are like which makes it quite hard to speculate.
In the headers, do you see various user agents being used, and various formatting and permutations of options?
On Sat, 16 Aug 2025 at 09:15, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Would anyone here be willing to be their North American rival? _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MMCCEQKA...
-- ++ytti
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PN6RSJUQ...
It still happens. And it used to be ubiquitous, so any old pages that get copied and republished is broadcasting its title pixel.
On Aug 16, 2025, at 9:04 AM, Jon Lewis via NANOG <nanog@lists.nanog.org> wrote:
https://isc.sans.edu/diary/31136
You say this person is a developer, and it appears all it takes to claim an IP is to hit a link to a 1x1 pixel image from that IP. Is it possible this person has embedded their URL in software that’s used on many sites (i.e. a CMS or popular plugin for a CMS) or possibly has compromised some high traffic website(s) and quietly embedded their URL without disturbing anything else that would make the compromise apparent to the site owners? It’s been a while since I’ve had firsthand experience with this, but I know the latter used to happen with some frequency (website is hacked and the owners are oblivious), and I assume it still does.
Sent from my iPhone
On Aug 16, 2025, at 5:36 AM, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
The server gets the IP address from the accept4() system call. It ignores HTTP headers (e.g. x-forwarded-for) when determining the IP.
It's possible to claim IPs by embedding <img src="//ipv4.games/claim?name=jart"> on a web page. My web server will notice the Accept header wants an image and will serve a 1x1 transparent gif rather than an html response. That's how I play the game: https://justine.lol/
The whales normally don't do this. They usually have something like a Go or Python script which sends bare minimal HTTP requests.
On Sat, Aug 16, 2025 at 2:21 AM Saku Ytti <saku@ytti.fi> wrote:
Couldn't they just ensure that some popular pages that people visit have a link to the claim?
You're not telling much how the ipv4.games works or what the requests are like which makes it quite hard to speculate.
In the headers, do you see various user agents being used, and various formatting and permutations of options?
On Sat, 16 Aug 2025 at 09:15, Justine Tunney via NANOG <nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Would anyone here be willing to be their North American rival? _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MMCCEQKA...
-- ++ytti
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PN6RSJUQ...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/O5KFWOO7...
Residential proxies. One can lookup the IP address on spur.us/context/<ip> and see they are a part of a number of proxy networks.
Do we know how long it took to claim 20 million IPs? Time span could be a clue. How much spam would one need to send, including the <img...> import, to generate that many hits? Especially with the current spam filters? I like the AD impression guess too. Or the very popular website... But again, knowing the timeline would help us figure this out. As a reference, how long would it take Google to generate hits from 20 million IPs with the <img...> inclusion on the main page?
Justine, I'd be more curious about user jackson. If you have time series data for when blocks were claimed by a particular user, it would be useful to share a link to them. I'd like to correlate when address claims were made from some of the more unusual blocks with BGP advertisement data to see if there were brief periods of BGP advertisements of less specific covering routes. As a side note, if you've signed up on various platforms as a non-profit entity, you get some amount of free advertising dollars to spend, up to about $10,000/month in free advertising, so you could get pretty far without having to spend your own money in an effort like this. But that's only going to get you reach from IP space that has general-purpose eyeballs on it. The netblocks that don't generally contain eyeballs networks are the more interesting ones, because those you can't simply spend free advertising dollars to get coverage on. Those would be the ones where I'd start to suspect someone might be briefly originating a less specific route, doing a flurry of GET requests, then dropping the less specific route, to gain coverage hits from more unusual blocks of addresses. Thanks! Matt On Fri, Aug 15, 2025 at 11:14 PM Justine Tunney via NANOG < nanog@lists.nanog.org> wrote:
I operate an online service at https://ipv4.games/ that invites people to send http requests to my web server from a lot of different IP addresses. In order to claim an IP, you need to successfully make a tcp three-way handshake with a VM on Google's network.
Somehow a player in Europe named femboy.cat has successfully managed to claim 20 million IPs, which is 9% of all IPv4 hosts according to Censys.
Does anyone have any idea how they're doing it?
Would anyone here be willing to be their North American rival? _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MMCCEQKA...
participants (14)
-
Alex -
Bryan Fields -
charlesg@unixrealm.com -
Dan Mahoney -
Giorgio Bonfiglio -
joe hess -
Jon Lewis -
Justine Tunney -
Marco Moock -
Matthew Petach -
nanog.awjac@notrack.8shield.net -
Saku Ytti -
Tarko Tikan -
Tom Beecher