Re: IPv4 Games

[Justine Tunney via NANOG <nanog () lists nanog org>]

I'm happy to consider any proposal that'll make the game more fun. Please
note I like the fact that the rules are simple to understand. There's also
no such thing as a cheap move. So far, we've only disallowed tricks when
they prevent the game from being fun.

For example, back when we used Cloudflare for DDOS protection, one player
was smart enough to realize he could claim 240.0.0.0/4 (the IPv4 addresses
reserved for future use) because cloudflare used those IPs to proxy IPv6
IIRC. We allowed it, in recognition for his cleverness. But when he found a
way to spoof any IP through Cloudflare, I had to delete him from the
database and implement my own better DDOS protection from scratch.

I don't think your claims about SEO and XSS have merit. IPv4 Games allows
users to pick usernames that look like URLs, but if you click on them, they
don't actually go to the user's website. You'd've understood this if you'd
looked more closely.

Advanced players also understand that bigger isn't always better and that
not all subnets are created equal. So far I'm the only person who's managed
to claim a /8 owned by the Department of Defense. I also control Apple's
class A subnet. So one way we might reform the game is by introducing
weightings.

On Sat, Aug 16, 2025 at 2:30 PM Dan Mahoney via NANOG <nanog () lists nanog org>
wrote:

> *sigh*
>
> Short answer: OP did not put a game on the internet, they put a poorly
> coded CTF sandbox that does no input verification (doesn’t check referrers,
> doesn’t look at the http user-agent, doesn’t require login, doesn’t check
> cookies, doesn’t have a nonce in the form that’s checked) and invites
> people to gamify it, and even now seems not to understand the problem and
> why this is an issue.  A few bored developers who understand HTTP and HTML
> forms way better than OP found it, and OP is inviting more people to do the
> same things rather than fixing his “game”.
>
> So this site is now like every old open PHPBB or gallery2 install, where
> people can pump url’s in for SEO spam, or even better, some good old
> fashioned XSS.  The site automatically turns things that look like domain
> names into links.  Shall we wait for a user to put the name of some crypto
> miner domain in there?  Or embedded javascript?  Or a malware site?
>
> Sans Internet Storm Center cited it as an open proxy search tool in 2024.
> https://isc.sans.edu/diary/31136
>
> -Dan
> (opinions are my own)
>
> > On Aug 16, 2025, at 03:34, Tarko Tikan via NANOG <nanog () lists nanog org>
> wrote:
> > hey,
> >
> > > She's a European developer. So I doubt she's burning money out of
> pocket on cloud like we do in the US.
> > Well the AD impressions cost minute amounts of money and given the 12.9M
> requests it's probably not even that expensive. This can also be
> biggypacked to some real AD.
> > APNIC runs their IPv6 measurement using similar tricks and they get a
> lot more impressions. I don't think their cost numbers have been published
> anywhere but feel free to dig deeper.
> > --
> > tarko
> > _______________________________________________
> > NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/Z2DZHRSZI5FCGSUUM6E2RKXVFR6SKVFN/
>
> _______________________________________________
> NANOG mailing list
>
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/6JTP3IO7W56WVRYANCILWGAUELRGR4TO/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/XIBGD6PJWWSUOY6CVTNJ7VIGCVSE3GFF/