Turns out what constitutes "claiming" an IP on the site is nothing like you’d expect. You don’t need to prove you control the IP. All it takes is embedding a transparent 1x1 tracking pixel on a website, and every IP that loads the page gets counted as “claimed” by you. In other words, it’s just a tally of visitors (or even ad impressions), not actual control of the IPs. So there’s really nothing meaningful here.
It could be just reverse engineer how it works for one or few IPs and send all requests in the correct order mimicking what the server expects to see from a real claim.
For this test to be valid it would need to do much more than just that I think
On the new site I see that the post has a link at the bottom which claims to take you to non-JS version of the site and that gave me hope, but following it and clicking on the "list overview" button takes you to a page that doesn't work without JS, and clicking on the "all threads" page just gives you links to posts that also need JS.
As far as I'm aware, this is off by a magnitude, and I'm not sure where the number comes from because the linked website lists much fewer (but ratelimits to 1/30m for some reason?). The official list at https://check.torproject.org/torbulkexitlist lists just over 1k exits, so I really doubt these made much of a difference.
I'm trying to understand. If 9% is 20 million then the total is ~220 million. That doesn't seem right to me. So this isn't talking about the ipv4 address space is it? (Ignoring reserved blocks that's 4 billion). What exactly is it talking about?
So to “claim” an IP address you only need to send a GET request to the server with your tag as a param?
What am I missing? It seems like sampling the headers for the incoming requests would reveal the answer quickly if it’s a 1x1 tracking pixel.
There’s a good chance that they wouldn’t really like the answer: It could have been slipped into a WordPress plugin or added as a call from an npm package, generating millions of unintended requests from other people’s computers to win an internet game.
They list guns.lol as one of their projects. Looks like a linktree type of personal website hosting service. Some traffic might come from that network of pages, but if that would be the case I would expect google to have indexed their claim links by now. Same thing goes for the captcha service they are running.
They also have a cracked version of a Minecraft cheat client on GitHub. It’s very common to use residential proxies while cheating (or cracking Minecraft accounts), so that might be another option (obviously not for all of the IPs). Someone should scan the IPs claimed by them for common proxy ports.
Might be a good idea to run their claims through a geoip db, even tho they are pretty spread out over different subnets, there still might be a correlation there (like mostly Spanish speaking countries or something like that).
Looks like the gameserver provides some more insights at /statusz, notably there a basically no „image claims“. So it would have to be iframes or script src requests (?).
Might also be fun to monitor your local network for requests to ipv4.games, I will set a notification with my firewall and report back :).
The 9% number comes from dividing by the number of IPv4 hosts reported by Censys, who do a portscan of the entire IPv4 space.
But obviously most clients will not have any ports open, and wouldn't be visible to the scan. It's not at all correct to treat that as the number of actively used IPv4 addresses.
https://ipv4.games/user.html?name=femboy.cat - looking at claimed networks they go in order. Some kind of spoofing attack either on TCP layer (less likely) or maybe server is consuming X-Real-IP or X-Forwarded-For without verification
An analysis of the source IP address networks might reveal more about the technique he's using. For example if they are all from one cloud provider, he could be rapidly allocating and deallocating IPv4 addresses from their pool, to attach to a VM to make the requests.
That said, probably it's multiple different techniques being used to make these requests, considering they are from such a huge number of different IP addresses. There's probably not one simple answer to this puzzle.
My hunch: it's not a real captcha on their page femboy.cat, but actually a script which "claims" the address in the ipv4.games game. Nothing to see here, move along.
I think that the person who thinks that X-Forwarded-For: cannot be manipulated here needs to be put in the same room with the person who thinks that there's an endless variety of ways in which "desync" attacks can forge such headers when one uses HTTP/1.1.
Can someone help me understand why that 'turfwar game' is in what otherwise seems to be what is meant to be a C library that people include in their projects? It doesnt seem to be automatically built as part of the project, but it still seems very odd to place it in a repo of a library that you want other people using instead of splitting it out to its own repo
I once thought of creating a cryptocoin where 1 initial coin would be handed out to whoever would be the first to claim each ip4 address. I think IP is too easy to spoof for that to work, but I still like the idea.
there are many ways to pretend to be an IP. that being said, things like 911S5 can show people can actually control that many machines, even though i suspect others comments about tracking pixels and such methods are likely more plausible.
you could also do like a resources lookup maybe in some games if you host the server (resources then being looked up on the client). games are full of weird design choices for performance, some can be abused.
.another avenue is ads linking to different resources via scripts, maybe some smaller players still allows it.
also there are (gray are) businesses who offer residential proxies for things like scraping (sales lead generation companies oftenuse such services for example). so you could likely pay your way to millions of ips, relatively cheap if ud do only 1 request over each
34 comments
[ 3.1 ms ] story [ 71.2 ms ] threadFor this test to be valid it would need to do much more than just that I think
@jart: You could log referer header maybe, or user agent?
https://x.com/JustineTunney/status/1957130925013442876
https://seclists.org/nanog/2025/Aug/260
I've been using https://seclists.org/nanog/ since the switch and it's so much better.
On the new site I see that the post has a link at the bottom which claims to take you to non-JS version of the site and that gave me hope, but following it and clicking on the "list overview" button takes you to a page that doesn't work without JS, and clicking on the "all threads" page just gives you links to posts that also need JS.
As far as I'm aware, this is off by a magnitude, and I'm not sure where the number comes from because the linked website lists much fewer (but ratelimits to 1/30m for some reason?). The official list at https://check.torproject.org/torbulkexitlist lists just over 1k exits, so I really doubt these made much of a difference.
https://github.com/search?q=https%3A%2F%2Fipv4.games%2Fclaim...
NO 1 must be doing a similar thing.
Other attempts: https://github.com/search?q=ipv4.games%2Fclaim&type=code
What am I missing? It seems like sampling the headers for the incoming requests would reveal the answer quickly if it’s a 1x1 tracking pixel.
There’s a good chance that they wouldn’t really like the answer: It could have been slipped into a WordPress plugin or added as a call from an npm package, generating millions of unintended requests from other people’s computers to win an internet game.
They list guns.lol as one of their projects. Looks like a linktree type of personal website hosting service. Some traffic might come from that network of pages, but if that would be the case I would expect google to have indexed their claim links by now. Same thing goes for the captcha service they are running.
They also have a cracked version of a Minecraft cheat client on GitHub. It’s very common to use residential proxies while cheating (or cracking Minecraft accounts), so that might be another option (obviously not for all of the IPs). Someone should scan the IPs claimed by them for common proxy ports.
Might be a good idea to run their claims through a geoip db, even tho they are pretty spread out over different subnets, there still might be a correlation there (like mostly Spanish speaking countries or something like that).
Looks like the gameserver provides some more insights at /statusz, notably there a basically no „image claims“. So it would have to be iframes or script src requests (?).
Might also be fun to monitor your local network for requests to ipv4.games, I will set a notification with my firewall and report back :).
But obviously most clients will not have any ports open, and wouldn't be visible to the scan. It's not at all correct to treat that as the number of actively used IPv4 addresses.
That said, probably it's multiple different techniques being used to make these requests, considering they are from such a huge number of different IP addresses. There's probably not one simple answer to this puzzle.
* https://isc.sans.edu/diary/31136
However, at least one person thinks that it is a bug in the X-Forwarded-For handling code,
* https://biggo.com/news/202508070812_IPv4_Games_Header_Exploi...
which, contrary to the headlined NANOG mailing list thread, is being parsed, as we can see:
* https://github.com/jart/cosmopolitan/blob/master/net/turfwar...
* https://justine.lol/threads/
I think that the person who thinks that X-Forwarded-For: cannot be manipulated here needs to be put in the same room with the person who thinks that there's an endless variety of ways in which "desync" attacks can forge such headers when one uses HTTP/1.1.
* https://portswigger.net/research/http1-must-die
* https://news.ycombinator.com/item?id=44915090
you could also do like a resources lookup maybe in some games if you host the server (resources then being looked up on the client). games are full of weird design choices for performance, some can be abused. .another avenue is ads linking to different resources via scripts, maybe some smaller players still allows it.
also there are (gray are) businesses who offer residential proxies for things like scraping (sales lead generation companies oftenuse such services for example). so you could likely pay your way to millions of ips, relatively cheap if ud do only 1 request over each