One person was able to claim 20M IPs, or 9% of all IPv4 hosts
53 comments
·August 16, 2025ludwik
treve
It's still an interesting post, because if true I'd still be curious how you'd get 20 million people to load anything.
But the title here is totally misleading because it sure sounds like someone took control of 9% of the ipv4 address space but the actual post starts with context.
reactordev
You can get 100 million people to load the 1x1 by adding it using javascript to an adsense ad you publish on Google...
The number of times my browser has been hijacked from their ad network is numerous.
Odds are, the culprit owns some IP that is running on 20M devices. Whether it's a mobile game. A bot net. An ad. Or some other script/service that allows other machines to make the request on his/her behalf.
karel-3d
I would guess a WordPress plugin or something.
20 million is a lot, but if you look at geoip, they are around the whole world; I took 3 random latest IPs and I saw Vietnam, Brazil and Angola. So it's not that much when it's worldwide.
But it suggests it's not a geographically limited website. If it's through a website. It's probably not a ad buy. (Who would burn money on that...)
However the requests are literally every second. So it's something very popular. (Or a bot and they are somehow faking the source address...)
bakugo
> Vietnam, Brazil and Angola
Curiously, these are some of the top countries I see when analyzing traffic from malicious scraping bots that disguise themselves as old Chrome versions on my websites.
So it's possible that one of those botnet-ish residential proxy services is being used here. The ones that use things like compromised browser extensions to turn unknowing users into exit nodes.
Edit: Yep, it's residential proxies, someone on the linked page mentioned a website where you can look up the IPs and all of them come up as proxies.
nicomt
I find this really interesting, I can see a few different ideas on GitHub to claim IPs, but I don't see any of those reaching that scale.
https://github.com/search?q=ipv4.games%2Fclaim&type=code&p=1
While running ads is definitely a possibility, reaching 9% of all available IPs sounds like a crazy expensive campaign. I don't know what the ratio of people to public IP is but I doubt it's one.
ludwik
20 million unique users is not that much. I don't understand the claim that this constitutes 9% of all IP addresses. It doesn't. There are about 4 billion public IPv4 address. 9% of that would be closer to 300 million.
cj
Is it reasonable to assume these aren’t 100% static IP addresses? If so, maybe there’s some double counting going on.
LunaSea
The commenters on the linked post mention loading the pixel image embedded in an advertisement campaign.
This would make it possible to have thousands of impressions for relatively low amounts of money.
Onavo
Maybe IoT software, though I wonder how they are doing the NAT busting if it's behind a router.
schmichael
> So there’s really nothing meaningful here.
If it’s not meaningful it should be trivial to beat right? ;)
This seems like a super fun game to find the upper bound on IPv4 addresses someone can open a socket from!
Retr0id
I've considered putting a tracking pixel on my blog so I can turn frontpage HN traffic into ipv4.games points, but it feels a little rude
JdeBP
The idea that this is just exploitation of open proxy HTTP servers has been doing the rounds for a year, now.
* https://isc.sans.edu/diary/31136
However, at least one person thinks that it is a bug in the X-Forwarded-For handling code,
* https://biggo.com/news/202508070812_IPv4_Games_Header_Exploi...
which, contrary to the headlined NANOG mailing list thread, is being parsed, as we can see:
* https://github.com/jart/cosmopolitan/blob/master/net/turfwar...
* https://justine.lol/threads/
I think that the person who thinks that X-Forwarded-For: cannot be manipulated here needs to be put in the same room with the person who thinks that there's an endless variety of ways in which "desync" attacks can forge such headers when one uses HTTP/1.1.
mzajc
Considering femboy.cat is still making thousands of claims per minute, shouldn't the header spoofing theory be easy to check? Just run tcpdump on the server, get a few claimed IPs, and see if they made any TCP handshakes in the packet dump.
jsnell
The 9% number comes from dividing by the number of IPv4 hosts reported by Censys, who do a portscan of the entire IPv4 space.
But obviously most clients will not have any ports open, and wouldn't be visible to the scan. It's not at all correct to treat that as the number of actively used IPv4 addresses.
tptacek
Right, it's not even close to 9% of all IPv4 hosts.
adolph
With that method, it would be more honest to only include the IP addresses of hosts reported by Censys in the numerator as well as the denominator.
mijoharas
I'm trying to understand. If 9% is 20 million then the total is ~220 million. That doesn't seem right to me. So this isn't talking about the ipv4 address space is it? (Ignoring reserved blocks that's 4 billion). What exactly is it talking about?
miyuru
Currently top player no 2 "jackson" uses JS to send a request from his websites and anyone who clones his code.
https://github.com/search?q=https%3A%2F%2Fipv4.games%2Fclaim...
NO 1 must be doing a similar thing.
Other attempts: https://github.com/search?q=ipv4.games%2Fclaim&type=code
flerchin
How is 20M IPs 9% of all IPv4 hosts? That works out to something like 220M IPv4 hosts, when I'd naively think there should be more like 4B or so.
Hikikomori
Many are reserved, not in use or even advertised.
wutwutwat
Yet they are still part of the “all ipv4” address space, so either the percentage is wrong or the use of “all” is a lie here.
Hikikomori
No, it's hosts, something different from just all IPv4.
Aurornis
So to “claim” an IP address you only need to send a GET request to the server with your tag as a param?
What am I missing? It seems like sampling the headers for the incoming requests would reveal the answer quickly if it’s a 1x1 tracking pixel.
There’s a good chance that they wouldn’t really like the answer: It could have been slipped into a WordPress plugin or added as a call from an npm package, generating millions of unintended requests from other people’s computers to win an internet game.
throwmeaway222
Yeah that's what I suspect as well - any website where you can put HTML on the domain in some way - there have to be many software packages out there that have this problem.
It could also be as simple as an ad network femboy works at.
nilsherzig
Couple ideas (can’t test them now):
They list guns.lol as one of their projects. Looks like a linktree type of personal website hosting service. Some traffic might come from that network of pages, but if that would be the case I would expect google to have indexed their claim links by now. Same thing goes for the captcha service they are running.
They also have a cracked version of a Minecraft cheat client on GitHub. It’s very common to use residential proxies while cheating (or cracking Minecraft accounts), so that might be another option (obviously not for all of the IPs). Someone should scan the IPs claimed by them for common proxy ports.
Might be a good idea to run their claims through a geoip db, even tho they are pretty spread out over different subnets, there still might be a correlation there (like mostly Spanish speaking countries or something like that).
Looks like the gameserver provides some more insights at /statusz, notably there a basically no „image claims“. So it would have to be iframes or script src requests (?).
Might also be fun to monitor your local network for requests to ipv4.games, I will set a notification with my firewall and report back :).
progbits
Buying ads or embedding on some popular sites seems like best theory.
@jart: You could log referer header maybe, or user agent?
mzajc
> There are currently 13'797 Tor exit nodes <https://www.dan.me.uk/tornodes>
As far as I'm aware, this is off by a magnitude, and I'm not sure where the number comes from because the linked website lists much fewer (but ratelimits to 1/30m for some reason?). The official list at https://check.torproject.org/torbulkexitlist lists just over 1k exits, so I really doubt these made much of a difference.
dilyevsky
https://ipv4.games/user.html?name=femboy.cat - looking at claimed networks they go in order. Some kind of spoofing attack either on TCP layer (less likely) or maybe server is consuming X-Real-IP or X-Forwarded-For without verification
charcircuit
The website sorts them.
dilyevsky
oh yeah i didn't pay attention it's only small number of IPs and basically covers entire space because it's not grouped by actual BGP routes. Must be public proxies then
mdemare
I once thought of creating a cryptocoin where 1 initial coin would be handed out to whoever would be the first to claim each ip4 address. I think IP is too easy to spoof for that to work, but I still like the idea.
Turns out what constitutes "claiming" an IP on the site is nothing like you’d expect. You don’t need to prove you control the IP. All it takes is embedding a transparent 1x1 tracking pixel on a website, and every IP that loads the page gets counted as “claimed” by you. In other words, it’s just a tally of visitors (or even ad impressions), not actual control of the IPs. So there’s really nothing meaningful here.