Why are you doing a separate request for every /8? I feel like this would be the first thing that would kill the site, if it weren't for the fact you're on HTTP, the browser is talking HTTP/1.1, so it only does 6 concurrent requests per domain.
I have been wasting so much time claiming up to 11 networks over the past week. All for you lot to steal all but 2 of them from me in as many hours. Give me a break. :)
I had an almost identical idea to this website a while ago but never acted on it, props to the dev.
Here is how you win the IPv4 games, in order of most to least effective:
1) Have a large online following that is willing to visit your claim link or a page where you can embed an iframe / img / etc that points to your claim link.
2) Pay to use someone else's (consensual) botnet by paying a residential proxy service, this is the approach I just used and it cost me a few dollars for access to a massive amount of distributed IPv4 space.
3) Abuse cloud / serverless offerings as far as they will go, unlikely to win more than a few blocks this way.
4) Own IPv4 space.
Other less ethical approaches: possibly exploit the system by sending a XFF header the developer forgot to block (probably just checking socket address so unlikely to work here), spin up a Vultr VPS in the same DC and probe for a way to connect with a local address, hijack BGP space, run your own botnet, I'm reminded of an old exploit in WordPress XMLRPC...
From what I can see the current rankings are just me and mike fighting for the same proxy space (the vote goes to the most recent visit per IP), and everyone else falls into buckets 3 & 4.
Basically I did a 1&2 combo. I run a small anti-bot service for a few friends sites and started redirecting a particularly aggressive scraper to the claim URL.
I took approach #3 for 5 blocks. Surprisingly, that's good enough to get on the leaderboard, at least till someone keeps a simple script running longer than me.
I do wonder what an IPv6 version of this would look like, but how it'd work, and how active it'd be.
I am option 4 but it's never going to get me very far up the leaderboard. So I just grabbed one of the funny numbers in one of the /8s and called it a day.
Not using HTTPS opens up a bunch of new possibilities of how to cheat...
Can you send an http request spoofing the IP address it's from? I bet you could with enough attempts because you only have to successfully guess the TCP syn cookie once...
I managed to claim 64 out of 256 blocks using proxies from Bright Data[0] and PacketStream[1]. I claimed 49616 IP addresses within those 64 blocks. Unfortunately, the website doesn't tell you how many IP addresses someone claimed in total. Cool project!
Had some fun with this. I used fireprox[0] to grab a ton of AWS IPs, and some proxy vendors for some other random ranges. Sadly my ASN has only /24s in disparate ranges so it wouldn’t make a dent for most of them.
In this thread there is a comment wich talks about using AWS API Gateways for scraping. What are other great ways to get many different ips for scraping?
Beside residential proxies.
I expect you could do an img tag or iframe, buy cheap ad traffic, and win. Tor is an option but last time I looked the exit node count is in the thousands. You could probably use any feed submitter or preview functions (Google docs insert URL, Facebook insert URL, etc).
- Static IP blocks from their ISP (some still lease IPs for surprisingly cheap).
- Releasing/renewing their NAT boxe's DHCP release on carriers that don't pin assignments (usually these are in pools of /22 or 1024 addresses - though most would be in use at any given time and impossible to randomly get you should be able to get a couple dozen).
- Customers of ISPs that use CG-NAT (cheap wired) or NAT64 (some wireless providers), similar to the above just 1 translation layer deeper.
- IP space you control (that's how I have 23.0.0.0/8 for the moment)
- BGP hijacking IP space you want to control (though hopefully in the world of RPKI this is getting harder and harder to do)
Source spoofing wouldn't get you far enough into the connection to make the claim and BGP hijacking is prevented on Vultr (you have to file a ROA and update RPKI before they'll accept the advertisement).
Tonight I discovered I could create 128 m2.micros from my AWS account no questions asked. Very very worrying. Much happier with Hetzner with an initial limit of 25.
This got me wondering that, in practice, how hard would it be to spoof source IP in the internet? I assume it requires some controls on an Tier-1 ISP network (so that the the spoofed package would not be filtered by upstream)?
Though apparently it doesn’t help in this case because it’s HTTP/TCP which requires a handshake
clayloam|3 years ago
PaoloBarbolini|3 years ago
mike_d|3 years ago
hackmiester|3 years ago
BonoboIO|3 years ago
Rasbora|3 years ago
Here is how you win the IPv4 games, in order of most to least effective:
1) Have a large online following that is willing to visit your claim link or a page where you can embed an iframe / img / etc that points to your claim link.
2) Pay to use someone else's (consensual) botnet by paying a residential proxy service, this is the approach I just used and it cost me a few dollars for access to a massive amount of distributed IPv4 space.
3) Abuse cloud / serverless offerings as far as they will go, unlikely to win more than a few blocks this way.
4) Own IPv4 space.
Other less ethical approaches: possibly exploit the system by sending a XFF header the developer forgot to block (probably just checking socket address so unlikely to work here), spin up a Vultr VPS in the same DC and probe for a way to connect with a local address, hijack BGP space, run your own botnet, I'm reminded of an old exploit in WordPress XMLRPC...
From what I can see the current rankings are just me and mike fighting for the same proxy space (the vote goes to the most recent visit per IP), and everyone else falls into buckets 3 & 4.
mike_d|3 years ago
progval|3 years ago
Sadly, it was considered, and XFF is ignored from non-private source addresses: https://github.com/jart/cosmopolitan/blob/155b378a3962e4d291...
With private addresses defined as: https://github.com/jart/cosmopolitan/blob/7ab15e0b236d085c82...
seligman99|3 years ago
I do wonder what an IPv6 version of this would look like, but how it'd work, and how active it'd be.
hackmiester|3 years ago
thunderbong|3 years ago
[0]: https://redbean.dev
cmeacham98|3 years ago
clayloam|3 years ago
londons_explore|3 years ago
Can you send an http request spoofing the IP address it's from? I bet you could with enough attempts because you only have to successfully guess the TCP syn cookie once...
rowin|3 years ago
[0] https://brightdata.com/ [1] https://packetstream.io/
clayloam|3 years ago
Congrats on #1 spot :)
iancarroll|3 years ago
[0] https://github.com/ustayready/fireprox
r3trohack3r|3 years ago
wyattwest|3 years ago
[0] https://spur.us/2020/08/residential-proxies-the-legal-botnet...
unknown|3 years ago
[deleted]
tranxen|3 years ago
distantsounds|3 years ago
BonoboIO|3 years ago
In this thread there is a comment wich talks about using AWS API Gateways for scraping. What are other great ways to get many different ips for scraping? Beside residential proxies.
bhaney|3 years ago
playingalong|3 years ago
What other options do people have?
chrismarlow9|3 years ago
http://ipv4.games/claim?name=whatever
I expect you could do an img tag or iframe, buy cheap ad traffic, and win. Tor is an option but last time I looked the exit node count is in the thousands. You could probably use any feed submitter or preview functions (Google docs insert URL, Facebook insert URL, etc).
zamadatix|3 years ago
- Static IP blocks from their ISP (some still lease IPs for surprisingly cheap).
- Releasing/renewing their NAT boxe's DHCP release on carriers that don't pin assignments (usually these are in pools of /22 or 1024 addresses - though most would be in use at any given time and impossible to randomly get you should be able to get a couple dozen).
- Customers of ISPs that use CG-NAT (cheap wired) or NAT64 (some wireless providers), similar to the above just 1 translation layer deeper.
- IP space you control (that's how I have 23.0.0.0/8 for the moment)
- BGP hijacking IP space you want to control (though hopefully in the world of RPKI this is getting harder and harder to do)
playingalong|3 years ago
zamadatix|3 years ago
I like the test claim from localhost :).
Ayesh|3 years ago
https://www.ietf.org/archive/id/draft-schoen-intarea-unicast...
PaoloBarbolini|3 years ago
bigcheesegs|3 years ago
clayloam|3 years ago
raggi|3 years ago
zamadatix|3 years ago
PaoloBarbolini|3 years ago
RockingGoodNite|3 years ago
[deleted]
blahgeek|3 years ago
Though apparently it doesn’t help in this case because it’s HTTP/TCP which requires a handshake
MrStonedOne|3 years ago
[deleted]