|
| ▲ | maverwa 2 days ago | parent | next [-] |
| my first guess would be: server honors X-Forwarded-For where it should not? Edit: looks like thats it: https://github.com/jart/cosmopolitan/blob/master/net/turfwar... So basically someone is running a script iterates over the whole ipv4 range and calls the claim endpoint with each single adress in the X-Forwared-For http header once. |
| |
| ▲ | 3r7j6qzi9jvnve 2 days ago | parent | next [-] | | That only works if the proxy is sitting on localhost or a local network, just setting the header shouldn't work. (I came here because I was curious how jart got 127 and 10, but after seeing the source is their's that's less of wonder..) | | |
| ▲ | sgjohnson 2 days ago | parent [-] | | bool IsPrivateIp(uint32_t x) { return (x >> 24) == 10 /* 10.0.0.0/8 */
|| (x & 0xfff00000) == 0xac100000 /* 172.16.0.0/12 */
|| (x & 0xffff0000) == 0xc0a80000 /* 192.168.0.0/16 */;
}the code doesn't consider 127.0.0.0/8 as "private". I'm curious about 10.0.0.0/8 though.* |
| |
| ▲ | viraptor 2 days ago | parent | prev | next [-] | | The line just under that prevents public IPs from using that function. | | |
| ▲ | maverwa 2 days ago | parent [-] | | you are right, I totally read that wrong. Confirmation bias strikes again! |
| |
| ▲ | elitepleb 2 days ago | parent | prev [-] | | a simple proof of the opposite is that no one's yet to exploit any of the untaken ranges that way |
|
|
| ▲ | nilsherzig 2 days ago | parent | prev | next [-] |
| Embedding images on a popular page? But according to the servers status at http://35.223.193.241:443/statusz nearly all claim requests expected to get html back not images. |
| |
| ▲ | gruez 2 days ago | parent [-] | | There's plenty of ways around that, for instance <script src="https://ipv4.games/claim?name=gruez">
or <iframe src="https://ipv4.games/claim?name=gruez">
|
|
|
| ▲ | justusthane 2 days ago | parent | prev | next [-] |
| I don't know, but check out the "Recent Successful Claims" on the right. Edit: Apparently they run https://novo.tf/, a CAPTCHA service, so they're probably using that to call out to ipv4.games from their clients. |
|
| ▲ | viraptor 2 days ago | parent | prev | next [-] |
| There are VPNs which use residential endpoints. You essentially use other users' IPs there. |
|
| ▲ | bombcar 2 days ago | parent | prev | next [-] |
| They’re top of the list, so at least some is seeing that and choosing to add to it. |
|
| ▲ | adzm 2 days ago | parent | prev | next [-] |
| I wouldn't be surprised if they had it call out from guns.lol or something |
|
| ▲ | maldonad0 2 days ago | parent | prev | next [-] |
| Maybe spoofing source IPs. |
| |
| ▲ | sgjohnson 2 days ago | parent [-] | | can't spoof the source IP in TCP communication, as the handshake cannot happen. With UDP you can send whatever, but obviously you won't be able to receive the response. | | |
| ▲ | Sesse__ 2 days ago | parent [-] | | It used to be possible back in the days when sequence numbers were easily guessable. (You'd obviously not be able to receive, only send, so you couldn't do TLS, but TLS had hardly been invented at the time.) Now operating systems are way too good for that. :-) |
|
|
|
| ▲ | cedws 2 days ago | parent | prev [-] |
| Botnet maybe. |
| |
| ▲ | sgjohnson 2 days ago | parent [-] | | _nobody_ would waste a botnet of 9 million unique IPs like this. | | |
| ▲ | usui 2 days ago | parent | next [-] | | Well let's not get hasty... These are valuable internet points we're talking about here. | |
| ▲ | nilsherzig 2 days ago | parent | prev | next [-] | | Not if it's your own, but this would be a great opportunity to redirect a botnet hitting your severs to generate some internet points instead | |
| ▲ | nicman23 a day ago | parent | prev [-] | | it would be pretty funi though |
|
|
