Turns out what constitutes "claiming" an IP on the site is nothing like you’d expect. You don’t need to prove you control the IP. All it takes is embedding a transparent 1x1 tracking pixel on a website, and every IP that loads the page gets counted as “claimed” by you. In other words, it’s just a tally of visitors (or even ad impressions), not actual control of the IPs. So there’s really nothing meaningful here.
It's still an interesting post, because if true I'd still be curious how you'd get 20 million people to load anything.
But the title here is totally misleading because it sure sounds like someone took control of 9% of the ipv4 address space but the actual post starts with context.
I would guess a WordPress plugin or something.
20 million is a lot, but if you look at geoip, they are around the whole world; I took 3 random latest IPs and I saw Vietnam, Brazil and Angola. So it's not that much when it's worldwide.
But it suggests it's not a geographically limited website. If it's through a website. It's probably not a ad buy. (Who would burn money on that...)
However the requests are literally every second. So it's something very popular. (Or a bot and they are somehow faking the source address...)
> Vietnam, Brazil and Angola
Curiously, these are some of the top countries I see when analyzing traffic from malicious scraping bots that disguise themselves as old Chrome versions on my websites.
So it's possible that one of those botnet-ish residential proxy services is being used here. The ones that use things like compromised browser extensions to turn unknowing users into exit nodes.
Edit: Yep, it's residential proxies, someone on the linked page mentioned a website where you can look up the IPs and all of them come up as proxies.
You can get 100 million people to load the 1x1 by adding it using javascript to an adsense ad you publish on Google...
The number of times my browser has been hijacked from their ad network is numerous.
Odds are, the culprit owns some IP that is running on 20M devices. Whether it's a mobile game. A bot net. An ad. Or some other script/service that allows other machines to make the request on his/her behalf.
If you run some random mid-sized web page with ~2 million monthly "unique" (by IP) visitors you'll get there very quickly.
I find this really interesting, I can see a few different ideas on GitHub to claim IPs, but I don't see any of those reaching that scale.
While running ads is definitely a possibility, reaching 9% of all available IPs sounds like a crazy expensive campaign. I don't know what the ratio of people to public IP is but I doubt it's one.
20 million unique users is not that much. I don't understand the claim that this constitutes 9% of all IP addresses. It doesn't. There are about 4 billion public IPv4 address. 9% of that would be closer to 300 million.
You're right, like others said in the comments the 9% in the comments is from total active hosts tracked by Censys (~231 million). But I still think it's challenging to have that much reach and unlikely to be an ad campaign. Using numbers from the website bellow the cost of getting 20 million impressions would be around $43,200 on the low-end for YouTube ads and can be much higher on different platforms. That is also assuming perfect efficiency were you we have exactly one impression per IP which is unlikely to be the case.
Is it reasonable to assume these aren’t 100% static IP addresses? If so, maybe there’s some double counting going on.
The commenters on the linked post mention loading the pixel image embedded in an advertisement campaign.
This would make it possible to have thousands of impressions for relatively low amounts of money.
Maybe IoT software, though I wonder how they are doing the NAT busting if it's behind a router.
> So there’s really nothing meaningful here.
If it’s not meaningful it should be trivial to beat right? ;)
This seems like a super fun game to find the upper bound on IPv4 addresses someone can open a socket from!
It could be just reverse engineer how it works for one or few IPs and send all requests in the correct order mimicking what the server expects to see from a real claim.
For this test to be valid it would need to do much more than just that I think
I've considered putting a tracking pixel on my blog so I can turn frontpage HN traffic into ipv4.games points, but it feels a little rude
The idea that this is just exploitation of open proxy HTTP servers has been doing the rounds for a year, now.
I think that the person who thinks that X-Forwarded-For: cannot be manipulated here needs to be put in the same room with the person who thinks that there's an endless variety of ways in which "desync" attacks can forge such headers when one uses HTTP/1.1.
Can someone help me understand why that 'turfwar game' is in what otherwise seems to be what is meant to be a C library that people include in their projects? It doesnt seem to be automatically built as part of the project, but it still seems very odd to place it in a repo of a library that you want other people using instead of splitting it out to its own repo
Considering femboy.cat is still making thousands of claims per minute, shouldn't the header spoofing theory be easy to check? Just run tcpdump on the server, get a few claimed IPs, and see if they made any TCP handshakes in the packet dump.
If it's so easy to fool the web server with a header, then why don't you try it.
Congratulations! You're the first person to claim the DoD's 6.x.x.x class a subnet.
The 9% number comes from dividing by the number of IPv4 hosts reported by Censys, who do a portscan of the entire IPv4 space.
But obviously most clients will not have any ports open, and wouldn't be visible to the scan. It's not at all correct to treat that as the number of actively used IPv4 addresses.
Right, it's not even close to 9% of all IPv4 hosts.
With that method, it would be more honest to only include the IP addresses of hosts reported by Censys in the numerator as well as the denominator.
Currently top player no 2 "jackson" uses JS to send a request from his websites and anyone who clones his code.
I'm trying to understand. If 9% is 20 million then the total is ~220 million. That doesn't seem right to me. So this isn't talking about the ipv4 address space is it? (Ignoring reserved blocks that's 4 billion). What exactly is it talking about?
So to “claim” an IP address you only need to send a GET request to the server with your tag as a param?
What am I missing? It seems like sampling the headers for the incoming requests would reveal the answer quickly if it’s a 1x1 tracking pixel.
There’s a good chance that they wouldn’t really like the answer: It could have been slipped into a WordPress plugin or added as a call from an npm package, generating millions of unintended requests from other people’s computers to win an internet game.
Yeah that's what I suspect as well - any website where you can put HTML on the domain in some way - there have to be many software packages out there that have this problem.
It could also be as simple as an ad network femboy works at.
I think that might be the point. If you can get someone to load a 1x1 pixel image for you then you in some small way "own" their computer.
Couple ideas (can’t test them now):
They list guns.lol as one of their projects. Looks like a linktree type of personal website hosting service. Some traffic might come from that network of pages, but if that would be the case I would expect google to have indexed their claim links by now. Same thing goes for the captcha service they are running.
They also have a cracked version of a Minecraft cheat client on GitHub. It’s very common to use residential proxies while cheating (or cracking Minecraft accounts), so that might be another option (obviously not for all of the IPs). Someone should scan the IPs claimed by them for common proxy ports.
Might be a good idea to run their claims through a geoip db, even tho they are pretty spread out over different subnets, there still might be a correlation there (like mostly Spanish speaking countries or something like that).
Looks like the gameserver provides some more insights at /statusz, notably there a basically no „image claims“. So it would have to be iframes or script src requests (?).
Might also be fun to monitor your local network for requests to ipv4.games, I will set a notification with my firewall and report back :).
How is 20M IPs 9% of all IPv4 hosts? That works out to something like 220M IPv4 hosts, when I'd naively think there should be more like 4B or so.
Yet they are still part of the “all ipv4” address space, so either the percentage is wrong or the use of “all” is a lie here.
No, it's hosts, something different from just all IPv4.
You're really confident about this, but I just can't find where hosts is different than addresses when we're talking about IPv4.
You see how you can have an IP address that is not assigned or used on something? So amount of IPv4 addresses > IPv4 hosts.
So, everyone just ignored that one guy that suggested simply... asking them by email?
Seeing everyone trying to come up with an idea and participating is way more fun
They could also just log some of the HTTP headers and check directly.
They’re avoiding the easy answers because they want people talking about it and I think they’re afraid of the real answer. Contests like this attract a lot of bad behavior.
Buying ads or embedding on some popular sites seems like best theory.
@jart: You could log referer header maybe, or user agent?
Wait how would they observe this? If not owner of the domain, and likely not owner of the client (random residential proxy)? Unless this is HTTP+MITM.
NANOG is the North American Network Operators Group.
femboy.cat is sending HTTP requests from nearly every corner of the Earth.
If the shared proxy addresses hypothesis is correct, this would single handedly make for a great ip blacklist
Not much value here to be honest... these lists already exist and for a couple quid you can get enough data on a residential proxy provider to scan their entire list of available IPs yourself.
that'd be the ips of 1 provider... For 20M IPs we are talking about most providers (including non residential)
As far as I'm aware, this is off by a magnitude, and I'm not sure where the number comes from because the linked website lists much fewer (but ratelimits to 1/30m for some reason?). The official list at https://check.torproject.org/torbulkexitlist lists just over 1k exits, so I really doubt these made much of a difference.
Public exit nodes are a subset of exit nodes
Could you explain? I thought all nodes except bridges were public.
I once thought of creating a cryptocoin where 1 initial coin would be handed out to whoever would be the first to claim each ip4 address. I think IP is too easy to spoof for that to work, but I still like the idea.
An analysis of the source IP address networks might reveal more about the technique he's using. For example if they are all from one cloud provider, he could be rapidly allocating and deallocating IPv4 addresses from their pool, to attach to a VM to make the requests.
That said, probably it's multiple different techniques being used to make these requests, considering they are from such a huge number of different IP addresses. There's probably not one simple answer to this puzzle.
I doubt a cloud provider would allow that, at some point you’d surely hit a rate limit or quota.
[deleted]
One person was able to claim 9% of all HN clickthroughs
https://ipv4.games/user.html?name=femboy.cat - looking at claimed networks they go in order. Some kind of spoofing attack either on TCP layer (less likely) or maybe server is consuming X-Real-IP or X-Forwarded-For without verification
The website sorts them.
oh yeah i didn't pay attention it's only small number of IPs and basically covers entire space because it's not grouped by actual BGP routes. Must be public proxies then
[deleted]
My hunch: it's not a real captcha on their page femboy.cat, but actually a script which "claims" the address in the ipv4.games game. Nothing to see here, move along.
Nothing so complicated. The HTML source of femboy.ca/ literally contains:
However, the question is why would this domain get 20 million distinct visitors (before being posted on Hacker News)?
Interesting. I looked up top 10 domains. I wonder if you could have it occur on wikipedia.org? Other random thoughts after looking at https://radar.cloudflare.com/domains... Maybe tiktok somehow? Or a bug in NTP? :D
On the new site I see that the post has a link at the bottom which claims to take you to non-JS version of the site and that gave me hope, but following it and clicking on the "list overview" button takes you to a page that doesn't work without JS, and clicking on the "all threads" page just gives you links to posts that also need JS.
[deleted]
Subscribed to several residential proxies and claimed all IPs.
Turns out what constitutes "claiming" an IP on the site is nothing like you’d expect. You don’t need to prove you control the IP. All it takes is embedding a transparent 1x1 tracking pixel on a website, and every IP that loads the page gets counted as “claimed” by you. In other words, it’s just a tally of visitors (or even ad impressions), not actual control of the IPs. So there’s really nothing meaningful here.
It's still an interesting post, because if true I'd still be curious how you'd get 20 million people to load anything.
But the title here is totally misleading because it sure sounds like someone took control of 9% of the ipv4 address space but the actual post starts with context.
I would guess a WordPress plugin or something.
20 million is a lot, but if you look at geoip, they are around the whole world; I took 3 random latest IPs and I saw Vietnam, Brazil and Angola. So it's not that much when it's worldwide.
But it suggests it's not a geographically limited website. If it's through a website. It's probably not a ad buy. (Who would burn money on that...)
However the requests are literally every second. So it's something very popular. (Or a bot and they are somehow faking the source address...)
> Vietnam, Brazil and Angola
Curiously, these are some of the top countries I see when analyzing traffic from malicious scraping bots that disguise themselves as old Chrome versions on my websites.
So it's possible that one of those botnet-ish residential proxy services is being used here. The ones that use things like compromised browser extensions to turn unknowing users into exit nodes.
Edit: Yep, it's residential proxies, someone on the linked page mentioned a website where you can look up the IPs and all of them come up as proxies.
You can get 100 million people to load the 1x1 by adding it using javascript to an adsense ad you publish on Google...
The number of times my browser has been hijacked from their ad network is numerous.
Odds are, the culprit owns some IP that is running on 20M devices. Whether it's a mobile game. A bot net. An ad. Or some other script/service that allows other machines to make the request on his/her behalf.
If you run some random mid-sized web page with ~2 million monthly "unique" (by IP) visitors you'll get there very quickly.
I find this really interesting, I can see a few different ideas on GitHub to claim IPs, but I don't see any of those reaching that scale.
https://github.com/search?q=ipv4.games%2Fclaim&type=code&p=1
While running ads is definitely a possibility, reaching 9% of all available IPs sounds like a crazy expensive campaign. I don't know what the ratio of people to public IP is but I doubt it's one.
20 million unique users is not that much. I don't understand the claim that this constitutes 9% of all IP addresses. It doesn't. There are about 4 billion public IPv4 address. 9% of that would be closer to 300 million.
You're right, like others said in the comments the 9% in the comments is from total active hosts tracked by Censys (~231 million). But I still think it's challenging to have that much reach and unlikely to be an ad campaign. Using numbers from the website bellow the cost of getting 20 million impressions would be around $43,200 on the low-end for YouTube ads and can be much higher on different platforms. That is also assuming perfect efficiency were you we have exactly one impression per IP which is unlikely to be the case.
https://www.guptamedia.com/social-media-ads-cost
Is it reasonable to assume these aren’t 100% static IP addresses? If so, maybe there’s some double counting going on.
The commenters on the linked post mention loading the pixel image embedded in an advertisement campaign.
This would make it possible to have thousands of impressions for relatively low amounts of money.
Maybe IoT software, though I wonder how they are doing the NAT busting if it's behind a router.
> So there’s really nothing meaningful here.
If it’s not meaningful it should be trivial to beat right? ;)
This seems like a super fun game to find the upper bound on IPv4 addresses someone can open a socket from!
It could be just reverse engineer how it works for one or few IPs and send all requests in the correct order mimicking what the server expects to see from a real claim.
For this test to be valid it would need to do much more than just that I think
I've considered putting a tracking pixel on my blog so I can turn frontpage HN traffic into ipv4.games points, but it feels a little rude
The idea that this is just exploitation of open proxy HTTP servers has been doing the rounds for a year, now.
* https://isc.sans.edu/diary/31136
However, at least one person thinks that it is a bug in the X-Forwarded-For handling code,
* https://biggo.com/news/202508070812_IPv4_Games_Header_Exploi...
which, contrary to the headlined NANOG mailing list thread, is being parsed, as we can see:
* https://github.com/jart/cosmopolitan/blob/master/net/turfwar...
* https://justine.lol/threads/
I think that the person who thinks that X-Forwarded-For: cannot be manipulated here needs to be put in the same room with the person who thinks that there's an endless variety of ways in which "desync" attacks can forge such headers when one uses HTTP/1.1.
* https://portswigger.net/research/http1-must-die
* https://news.ycombinator.com/item?id=44915090
Can someone help me understand why that 'turfwar game' is in what otherwise seems to be what is meant to be a C library that people include in their projects? It doesnt seem to be automatically built as part of the project, but it still seems very odd to place it in a repo of a library that you want other people using instead of splitting it out to its own repo
Considering femboy.cat is still making thousands of claims per minute, shouldn't the header spoofing theory be easy to check? Just run tcpdump on the server, get a few claimed IPs, and see if they made any TCP handshakes in the packet dump.
If it's so easy to fool the web server with a header, then why don't you try it.
Congratulations! You're the first person to claim the DoD's 6.x.x.x class a subnet.The 9% number comes from dividing by the number of IPv4 hosts reported by Censys, who do a portscan of the entire IPv4 space.
But obviously most clients will not have any ports open, and wouldn't be visible to the scan. It's not at all correct to treat that as the number of actively used IPv4 addresses.
Right, it's not even close to 9% of all IPv4 hosts.
With that method, it would be more honest to only include the IP addresses of hosts reported by Censys in the numerator as well as the denominator.
Currently top player no 2 "jackson" uses JS to send a request from his websites and anyone who clones his code.
https://github.com/search?q=https%3A%2F%2Fipv4.games%2Fclaim...
NO 1 must be doing a similar thing.
Other attempts: https://github.com/search?q=ipv4.games%2Fclaim&type=code
I'm trying to understand. If 9% is 20 million then the total is ~220 million. That doesn't seem right to me. So this isn't talking about the ipv4 address space is it? (Ignoring reserved blocks that's 4 billion). What exactly is it talking about?
See https://search.censys.io/
So to “claim” an IP address you only need to send a GET request to the server with your tag as a param?
What am I missing? It seems like sampling the headers for the incoming requests would reveal the answer quickly if it’s a 1x1 tracking pixel.
There’s a good chance that they wouldn’t really like the answer: It could have been slipped into a WordPress plugin or added as a call from an npm package, generating millions of unintended requests from other people’s computers to win an internet game.
Yeah that's what I suspect as well - any website where you can put HTML on the domain in some way - there have to be many software packages out there that have this problem.
It could also be as simple as an ad network femboy works at.
I think that might be the point. If you can get someone to load a 1x1 pixel image for you then you in some small way "own" their computer.
Couple ideas (can’t test them now):
They list guns.lol as one of their projects. Looks like a linktree type of personal website hosting service. Some traffic might come from that network of pages, but if that would be the case I would expect google to have indexed their claim links by now. Same thing goes for the captcha service they are running.
They also have a cracked version of a Minecraft cheat client on GitHub. It’s very common to use residential proxies while cheating (or cracking Minecraft accounts), so that might be another option (obviously not for all of the IPs). Someone should scan the IPs claimed by them for common proxy ports.
Might be a good idea to run their claims through a geoip db, even tho they are pretty spread out over different subnets, there still might be a correlation there (like mostly Spanish speaking countries or something like that).
Looks like the gameserver provides some more insights at /statusz, notably there a basically no „image claims“. So it would have to be iframes or script src requests (?).
Might also be fun to monitor your local network for requests to ipv4.games, I will set a notification with my firewall and report back :).
How is 20M IPs 9% of all IPv4 hosts? That works out to something like 220M IPv4 hosts, when I'd naively think there should be more like 4B or so.
See https://search.censys.io/
Many are reserved, not in use or even advertised.
Yet they are still part of the “all ipv4” address space, so either the percentage is wrong or the use of “all” is a lie here.
No, it's hosts, something different from just all IPv4.
You're really confident about this, but I just can't find where hosts is different than addresses when we're talking about IPv4.
You see how you can have an IP address that is not assigned or used on something? So amount of IPv4 addresses > IPv4 hosts.
So, everyone just ignored that one guy that suggested simply... asking them by email?
Seeing everyone trying to come up with an idea and participating is way more fun
They could also just log some of the HTTP headers and check directly.
They’re avoiding the easy answers because they want people talking about it and I think they’re afraid of the real answer. Contests like this attract a lot of bad behavior.
Buying ads or embedding on some popular sites seems like best theory.
@jart: You could log referer header maybe, or user agent?
It's Go-http-client/1.1
https://x.com/JustineTunney/status/1957130925013442876
https://seclists.org/nanog/2025/Aug/260
Wait how would they observe this? If not owner of the domain, and likely not owner of the client (random residential proxy)? Unless this is HTTP+MITM.
NANOG is the North American Network Operators Group.
femboy.cat is sending HTTP requests from nearly every corner of the Earth.
If the shared proxy addresses hypothesis is correct, this would single handedly make for a great ip blacklist
Not much value here to be honest... these lists already exist and for a couple quid you can get enough data on a residential proxy provider to scan their entire list of available IPs yourself.
that'd be the ips of 1 provider... For 20M IPs we are talking about most providers (including non residential)
> There are currently 13'797 Tor exit nodes <https://www.dan.me.uk/tornodes>
As far as I'm aware, this is off by a magnitude, and I'm not sure where the number comes from because the linked website lists much fewer (but ratelimits to 1/30m for some reason?). The official list at https://check.torproject.org/torbulkexitlist lists just over 1k exits, so I really doubt these made much of a difference.
Public exit nodes are a subset of exit nodes
Could you explain? I thought all nodes except bridges were public.
I once thought of creating a cryptocoin where 1 initial coin would be handed out to whoever would be the first to claim each ip4 address. I think IP is too easy to spoof for that to work, but I still like the idea.
An analysis of the source IP address networks might reveal more about the technique he's using. For example if they are all from one cloud provider, he could be rapidly allocating and deallocating IPv4 addresses from their pool, to attach to a VM to make the requests.
That said, probably it's multiple different techniques being used to make these requests, considering they are from such a huge number of different IP addresses. There's probably not one simple answer to this puzzle.
I doubt a cloud provider would allow that, at some point you’d surely hit a rate limit or quota.
One person was able to claim 9% of all HN clickthroughs
https://ipv4.games/user.html?name=femboy.cat - looking at claimed networks they go in order. Some kind of spoofing attack either on TCP layer (less likely) or maybe server is consuming X-Real-IP or X-Forwarded-For without verification
The website sorts them.
oh yeah i didn't pay attention it's only small number of IPs and basically covers entire space because it's not grouped by actual BGP routes. Must be public proxies then
My hunch: it's not a real captcha on their page femboy.cat, but actually a script which "claims" the address in the ipv4.games game. Nothing to see here, move along.
Nothing so complicated. The HTML source of femboy.ca/ literally contains:
However, the question is why would this domain get 20 million distinct visitors (before being posted on Hacker News)?Interesting. I looked up top 10 domains. I wonder if you could have it occur on wikipedia.org? Other random thoughts after looking at https://radar.cloudflare.com/domains... Maybe tiktok somehow? Or a bug in NTP? :D
Would be interesting to log the referer.
Man, I really hate NANOG's new site.
I've been using https://seclists.org/nanog/ since the switch and it's so much better.
On the new site I see that the post has a link at the bottom which claims to take you to non-JS version of the site and that gave me hope, but following it and clicking on the "list overview" button takes you to a page that doesn't work without JS, and clicking on the "all threads" page just gives you links to posts that also need JS.
Subscribed to several residential proxies and claimed all IPs.