The idea that this is just exploitation of open proxy HTTP servers has been doing the rounds for a year, now.
* https://isc.sans.edu/diary/31136
However, at least one person thinks that it is a bug in the X-Forwarded-For handling code,
* https://biggo.com/news/202508070812_IPv4_Games_Header_Exploi...
which, contrary to the headlined NANOG mailing list thread, is being parsed, as we can see:
* https://github.com/jart/cosmopolitan/blob/master/net/turfwar...
* https://justine.lol/threads/
I think that the person who thinks that X-Forwarded-For: cannot be manipulated here needs to be put in the same room with the person who thinks that there's an endless variety of ways in which "desync" attacks can forge such headers when one uses HTTP/1.1.
Can someone help me understand why that 'turfwar game' is in what otherwise seems to be what is meant to be a C library that people include in their projects? It doesnt seem to be automatically built as part of the project, but it still seems very odd to place it in a repo of a library that you want other people using instead of splitting it out to its own repo
Considering femboy.cat is still making thousands of claims per minute, shouldn't the header spoofing theory be easy to check? Just run tcpdump on the server, get a few claimed IPs, and see if they made any TCP handshakes in the packet dump.
If it's so easy to fool the web server with a header, then why don't you try it.
Congratulations! You're the first person to claim the DoD's 6.x.x.x class a subnet.