Turns out what constitutes "claiming" an IP on the site is nothing like you’d expect. You don’t need to prove you control the IP. All it takes is embedding a transparent 1x1 tracking pixel on a website, and every IP that loads the page gets counted as “claimed” by you. In other words, it’s just a tally of visitors (or even ad impressions), not actual control of the IPs. So there’s really nothing meaningful here.
It's still an interesting post, because if true I'd still be curious how you'd get 20 million people to load anything.
But the title here is totally misleading because it sure sounds like someone took control of 9% of the ipv4 address space but the actual post starts with context.
You can get 100 million people to load the 1x1 by adding it using javascript to an adsense ad you publish on Google...
The number of times my browser has been hijacked from their ad network is numerous.
Odds are, the culprit owns some IP that is running on 20M devices. Whether it's a mobile game. A bot net. An ad. Or some other script/service that allows other machines to make the request on his/her behalf.
I would guess a WordPress plugin or something.
20 million is a lot, but if you look at geoip, they are around the whole world; I took 3 random latest IPs and I saw Vietnam, Brazil and Angola. So it's not that much when it's worldwide.
But it suggests it's not a geographically limited website. If it's through a website. It's probably not a ad buy. (Who would burn money on that...)
However the requests are literally every second. So it's something very popular. (Or a bot and they are somehow faking the source address...)
> Vietnam, Brazil and Angola
Curiously, these are some of the top countries I see when analyzing traffic from malicious scraping bots that disguise themselves as old Chrome versions on my websites.
So it's possible that one of those botnet-ish residential proxy services is being used here. The ones that use things like compromised browser extensions to turn unknowing users into exit nodes.
Edit: Yep, it's residential proxies, someone on the linked page mentioned a website where you can look up the IPs and all of them come up as proxies.
I find this really interesting, I can see a few different ideas on GitHub to claim IPs, but I don't see any of those reaching that scale.
https://github.com/search?q=ipv4.games%2Fclaim&type=code&p=1
While running ads is definitely a possibility, reaching 9% of all available IPs sounds like a crazy expensive campaign. I don't know what the ratio of people to public IP is but I doubt it's one.
20 million unique users is not that much. I don't understand the claim that this constitutes 9% of all IP addresses. It doesn't. There are about 4 billion public IPv4 address. 9% of that would be closer to 300 million.
You're right, like others said in the comments the 9% in the comments is from total active hosts tracked by Censys (~231 million). But I still think it's challenging to have that much reach and unlikely to be an ad campaign. Using numbers from the website bellow the cost of getting 20 million impressions would be around $43,200 on the low-end for YouTube ads and can be much higher on different platforms. That is also assuming perfect efficiency were you we have exactly one impression per IP which is unlikely to be the case.
https://www.guptamedia.com/social-media-ads-cost
Is it reasonable to assume these aren’t 100% static IP addresses? If so, maybe there’s some double counting going on.
The commenters on the linked post mention loading the pixel image embedded in an advertisement campaign.
This would make it possible to have thousands of impressions for relatively low amounts of money.
Maybe IoT software, though I wonder how they are doing the NAT busting if it's behind a router.
> So there’s really nothing meaningful here.
If it’s not meaningful it should be trivial to beat right? ;)
This seems like a super fun game to find the upper bound on IPv4 addresses someone can open a socket from!
It could be just reverse engineer how it works for one or few IPs and send all requests in the correct order mimicking what the server expects to see from a real claim.
For this test to be valid it would need to do much more than just that I think
I've considered putting a tracking pixel on my blog so I can turn frontpage HN traffic into ipv4.games points, but it feels a little rude