Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
maverwa 5 days ago

my first guess would be: server honors X-Forwarded-For where it should not?

Edit: looks like thats it: https://github.com/jart/cosmopolitan/blob/master/net/turfwar...

So basically someone is running a script iterates over the whole ipv4 range and calls the claim endpoint with each single adress in the X-Forwared-For http header once.

3r7j6qzi9jvnve 5 days ago | parent | next [-]

That only works if the proxy is sitting on localhost or a local network, just setting the header shouldn't work.

(I came here because I was curious how jart got 127 and 10, but after seeing the source is their's that's less of wonder..)

sgjohnson 5 days ago | parent [-]

bool IsPrivateIp(uint32_t x) {

  return (x >> 24) == 10                   /* 10.0.0.0/8  */

         || (x & 0xfff00000) == 0xac100000 /* 172.16.0.0/12  */

         || (x & 0xffff0000) == 0xc0a80000 /* 192.168.0.0/16  */;
}

the code doesn't consider 127.0.0.0/8 as "private". I'm curious about 10.0.0.0/8 though.*

viraptor 5 days ago | parent | prev | next [-]

The line just under that prevents public IPs from using that function.

maverwa 5 days ago | parent [-]

you are right, I totally read that wrong. Confirmation bias strikes again!

elitepleb 5 days ago | parent | prev [-]

a simple proof of the opposite is that no one's yet to exploit any of the untaken ranges that way