nanog mailing list archives

Re: IPv4 Games

From: Dan Mahoney via NANOG <nanog () lists nanog org>
Date: Sat, 16 Aug 2025 14:29:05 -0700

*sigh*

Short answer: OP did not put a game on the internet, they put a poorly coded CTF sandbox that does no input 
verification (doesn’t check referrers, doesn’t look at the http user-agent, doesn’t require login, doesn’t check 
cookies, doesn’t have a nonce in the form that’s checked) and invites people to gamify it, and even now seems not to 
understand the problem and why this is an issue.  A few bored developers who understand HTTP and HTML forms way better 
than OP found it, and OP is inviting more people to do the same things rather than fixing his “game”.

So this site is now like every old open PHPBB or gallery2 install, where people can pump url’s in for SEO spam, or even 
better, some good old fashioned XSS.  The site automatically turns things that look like domain names into links.  
Shall we wait for a user to put the name of some crypto miner domain in there?  Or embedded javascript?  Or a malware 
site?

Sans Internet Storm Center cited it as an open proxy search tool in 2024.  https://isc.sans.edu/diary/31136

-Dan
(opinions are my own)

On Aug 16, 2025, at 03:34, Tarko Tikan via NANOG <nanog () lists nanog org> wrote:

hey,

She's a European developer. So I doubt she's burning money out of pocket on cloud like we do in the US.


Well the AD impressions cost minute amounts of money and given the 12.9M requests it's probably not even that 
expensive. This can also be biggypacked to some real AD.

APNIC runs their IPv6 measurement using similar tricks and they get a lot more impressions. I don't think their cost 
numbers have been published anywhere but feel free to dig deeper.

-- 
tarko
_______________________________________________
NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog 
org/message/Z2DZHRSZI5FCGSUUM6E2RKXVFR6SKVFN/


_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/6JTP3IO7W56WVRYANCILWGAUELRGR4TO/

Current thread:

Re: IPv4 Games, (continued)
- Re: IPv4 Games Dan Mahoney via NANOG (Aug 16)
- Re: IPv4 Games Saku Ytti via NANOG (Aug 16)
  - Re: IPv4 Games Justine Tunney via NANOG (Aug 16)
    - Re: IPv4 Games Jon Lewis via NANOG (Aug 16)
    - Re: IPv4 Games joe hess via NANOG (Aug 16)
    - Re: IPv4 Games Alex via NANOG (Aug 16)
- Re: IPv4 Games Tarko Tikan via NANOG (Aug 16)
  - Re: IPv4 Games Justine Tunney via NANOG (Aug 16)
    - Re: IPv4 Games Tarko Tikan via NANOG (Aug 16)
    - Re: IPv4 Games Giorgio Bonfiglio via NANOG (Aug 16)
    - Re: IPv4 Games Dan Mahoney via NANOG (Aug 16)
    - Re: IPv4 Games Dan Mahoney via NANOG (Aug 16)
    - Re: IPv4 Games joe--- via NANOG (Aug 16)
    - Re: IPv4 Games Justine Tunney via NANOG (Aug 16)
    - Re: IPv4 Games nanog--- via NANOG (Aug 16)
    - Re: IPv4 Games Justine Tunney via NANOG (Aug 16)
  - Re: IPv4 Games Tom Beecher via NANOG (Aug 16)
    - Re: IPv4 Games Justine Tunney via NANOG (Aug 16)
    - Re: IPv4 Games Tom Beecher via NANOG (Aug 16)
    - Re: IPv4 Games Bryan Fields via NANOG (Aug 16)
- Re: IPv4 Games nanog.awjac--- via NANOG (Aug 16)

(Thread continues...)