A couple of months ago, we published a story about a game where players compete to claim the most IPv4 space and secure the bragging rights that come from being at the top of the leaderboard. At the time of writing, the current all-time leader has claimed over 28 million addresses (daily, weekly, and monthly leader spots are also up for grabs).
Gamifying the IPv4 address space seemed to reflect a very specific set of skills and interests. Rather than speculate about the people behind it, we asked the project’s creator, Clay Loam, and its maintainer, Justine Tunney, if they would be open to an interview. They kindly agreed.
What are your respective origin stories? How did they lead you to meet each other? How did they lead to ipv4.games?
Justine: Open source became a passion for me at an early age, when I taught myself to write tools in Visual Basic and Delphi and share them online.
I first fell in love with UNIX by telnetting into sdf.lonestar.org. The first UNIX OS I ran in my home was FreeBSD. I used it to set up an old computer in my home as my new router. I even hacked the kernel to replace a common curse word with ‘face’. Except I forgot to recompute the IPv4 checksum header. My friends quickly found out that any time they said that curse word to me on AOL Instant Messenger (AIM), my TCP connection would get dropped, and I’d go offline.
More recently, I wrote a chatbot called llamafile and a web server named redbean that uses a new executable format to run on multiple Operating Systems (OSes).
Clay Loam: I like to make games and web toys, especially things that lots of people can play together. My other biggest hit is familiars.io, an online Pokémon-like game that once averaged over a hundred players online during the first few weeks of 2021, though it’s pretty quiet nowadays.
I was really interested in redbean because of its neat Windows and Unixes trick, and how many features it packed in one tiny scriptable web server. When I showed off a proof-of-concept for ipv4.games to the redbean community, Justine kindly offered support for the project and helped it get attention online. She also wrote a new backend to help deal with the kind of traffic that ipv4.games gets, since the project is basically an open invitation to try a Distributed Denial of Service (DDoS) attack on the web server.
Where did the idea for ipv4.games come from? Was there anything in particular you were looking to see?
Clay Loam: I was working on another one of my games at the time, familiars.io, and I was dealing with players flooding the server with bots. It became a game of cat and mouse, with players working around my changing bot mitigation measures.
Although I was fretting about how other players’ experiences were being impacted by the bots, it was kind of fun to battle them. At some point, I started considering how I would deal with a sophisticated attacker that might create a bunch of bots from many IP addresses, and I had the thought, ‘What if that was the game?’
I had a few ideas for strategies that players might employ going in, like spinning up cloud virtual machines (VMs) or using code sandboxes to make requests. I was curious what other ideas people would come up with, but I didn’t expect anything on the scale of what some players have done!
Can you give us a technical overview of how the game is implemented? Hosted?
Justine: We host ipv4.games in a scrappy way on a single Debian VM on Google Cloud Platform. Our server is written in a few thousand lines of C that’s built on the redbean web server. We use SQLite as the database.
Our server is able to process hundreds of thousands of claims per hour because we use a multithreaded architecture where http request handling threads pass work to background threads, which is performed in batches.
What has been the impact of all the attention the game garnered? Unexpected costs? Unexpected benefits?
Clay Loam: One unexpected impact is that now I occasionally get random hackers direct-messaging me on Discord.
On a more serious note, I definitely didn’t expect that ipv4.games would become a live real-world stress-test of redbean and various other components of Cosmopolitan Libc. It’s nice to see open source tools that make applications portable holding up so well.
And, maybe we’re giving some botnet wielders something relatively harmless to do?
As for costs, I think we did have to try to use Cloudflare for a bit, though I don’t remember what that cost exactly. Ultimately, it wasn’t actually helpful in keeping the service online, so we stopped using it pretty quickly.
How do you work out the origin of a claim? Are proxies and Virtual Private Networks (VPNs) cheating, or part of the fun?
Justine: One NANOG member actually independently verified that the IPv4 Games traffic isn’t just IP spoofing and is actually flowing through the series of tubes.
To claim an IP on our website, you need to make a TCP three-way handshake with our web server, which gets your IP directly from the accept4() system call, and doesn’t take into consideration HTTP headers.
The rest of it is just leveraging the quality of Google Cloud’s premium-tier network, which can’t easily be fooled. Our policy is that if you can communicate from a host, you can claim the host. So we consider proxies and VPNs fair game.
Some of our users will turn their mobile phones on and off to get assigned a new IP address they can claim. Just note that if you do it, then someone else can do it too! Players will frequently rise and fall off the leaderboard when they compete for the same IPs.
Clay Loam: My assumption going in was that the web server can trust the remote IP of a TCP connection, and I don’t have any hard evidence to the contrary so far.
Regarding proxies and VPN’s, I originally just wanted to see what would happen with the unrestricted invitation to ‘send us GET requests from as many IPs as possible’, and just see where it goes. I quickly learned what a residential proxy was after about a week into hosting the game!
It could be interesting to change things in order to encourage different strategies somehow, but I’m not sure what I would want out of it.
What is the algorithm for the footprint of the claim?
Justine: When making games, our priority has been to do the simplest thing that works. Right now, our scoreboard sums up the number of claimed IPs, with equal weighting, for each Class A subnet.
While this makes the game easy to understand, it paints a legacy view of the ARPAnet back when companies were able to snag entire Class A blocks. We’d love to hear any ideas your readers have about how we might visualize the richness of territory that exists in the IPv4 address space today.
Have players been concentrated in a region or economy? Or have they been distributed around the world? Has this changed over time?
Clay Loam: Although we can individually learn about players by looking up their names or websites, it’s sort of impossible to know for sure, right? The game inherently makes it hard to know anything about players, as they will be coming from many IP addresses over the course of playing the game!
Justine: We built the ipv4.games in the United States, but the two all-time highest-ranked players are in Germany. Our goal is to make the game inclusive and fun for people all around the world. The only way we’re able to know where a user is from is when they put their domain name in their username.
Did you get any quirky claims like Department of Defence (DoD) address territory, Antarctic bases, or the Vatican?
Justine: So far, I am the only person who’s managed to claim a DoD block. It happened a few years ago, probably because a few people at the DoD (on 214.0.0.0/8) visited my blog, which has the IPv4 Games pixel. Lambro and exove.ovh are the only users who’ve claimed IPs in the Holy See (212.77.0.0/19). So far, no one has claimed an IP from Antarctica.
Are you measuring site traffic, especially from dual-stack sources? Out of interest, how many people come to you over v6?
Justine: The IPv4 Games can only be accessed via IPv4. Mostly because we’re not sure how we’d process claims from IPv6 hosts, other than simply letting the user claim whichever gateway or tunnel service they’re using.
In the future, we might create a sister website that’s only accessible over IPv6. Sadly, someone else thought to register the ipv6.games domain before we did, so we would need to work out a deal with them before moving forward.
If you could wave a wand and see some other aspect of core Internet technology gamified, what would it be?
Clay Loam: I guess you could do something similar with sending something other than HTTP traffic to a specific server, like ICMP pings or whatever, but I don’t think that would be more interesting.
So I think it would have to be a totally different concept.
I wonder if there’s a game to be found in traceroute? Or, while it’s not exactly core Internet technology, I wonder if there’s a way to turn something annoying like third-party tracking cookies into a game?
What else are you currently working on?
Clay Loam: Mostly my day job lately, though I’ve got lots of things I would like to be working on more. Recently, I have been making a toy programming language and reimplementing one of my other games in it, GUY RPG, mostly just for fun. I’m also hoping to make a new Game Boy Advance game with my wife soon! Feel free to follow ClayLoam on Twitter and Bluesky and get updates there.
Justine: I’ve been making improvements to Cosmopolitan Libc, and I’m planning to add support for Actually Portable Executable to the FreeBSD kernel in the coming months. You can follow me on Twitter and Bluesky. Most of the action happens in the redbean discord community. I’m easy to contact, and I like it when people reach out and share their thoughts on the work we’re doing.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.