[maverwa]

my first guess would be: server honors X-Forwarded-For where it should not?

Edit: looks like thats it: https://github.com/jart/cosmopolitan/blob/master/net/turfwar...

So basically someone is running a script iterates over the whole ipv4 range and calls the claim endpoint with each single adress in the X-Forwared-For http header once.

[3r7j6qzi9jvnve]

That only works if the proxy is sitting on localhost or a local network, just setting the header shouldn't work.

(I came here because I was curious how jart got 127 and 10, but after seeing the source is their's that's less of wonder..)

[sgjohnson]

bool IsPrivateIp(uint32_t x) {

  return (x >> 24) == 10                   /* 10.0.0.0/8  */

         || (x & 0xfff00000) == 0xac100000 /* 172.16.0.0/12  */

         || (x & 0xffff0000) == 0xc0a80000 /* 192.168.0.0/16  */;

}

the code doesn't consider 127.0.0.0/8 as "private". I'm curious about 10.0.0.0/8 though.*

[viraptor]

The line just under that prevents public IPs from using that function.

[maverwa]

you are right, I totally read that wrong. Confirmation bias strikes again!

[elitepleb]

a simple proof of the opposite is that no one's yet to exploit any of the untaken ranges that way