The third day of the Great IP Hunt was quite fun. On our winners list, we had both power users and our usual average users, creating an interesting mix. We want to encourage everyone to keep the hunt going. Prizes are distributed randomly, so if you consistently hunt IP addresses, you have a chance to win.
Congratulations on winning back-to-back prizes so far.
Our working theory so far is that some users were able to reverse-engineer our app, discover the API endpoint and then hit the API endpoint using some form of botnet infrastructure. All the submitted IPs are “real IP addresses,” as the IP submissions are registered at the server logging level.
That is what we are guessing so far. We could be wrong. However, we are very sure that the requests reaching our servers are coming from real devices with actual IP addresses because the IP addresses are collected from our server log.
We kinda expected this to happen. That is why we are not doing prizes by top submissions. The random selection process means that:
We select a random IP address submission
Identify the user who submitted the IP address
Give them the prize only once per day
Even though these power users have an advantage, there is a fair chance to win prizes as long as all users are consistently collecting IP addresses to the best of their ability.
The reverse-engineering theory was my exact suspicion. I could tell by the giveaway winners that you guys had thought of a solution to this, so well done!
I think indeed like @Abdullah is mentioning someone reversed/inspected the app traffic and is just calling their API’s manually.
my guess would be: have some proxy/vpn:
(1) acquire a vpn/proxy IP
(2) enrich this IP using IPinfo (lol) or an alternative source
(3) send this spoofed/forged request to IPinfo (not sure IPinfo checks the precision of the GPS data, since I think it might be possible to spot that this data is fishy? (unless the forged request adds random feasible/generated real coordinates)
Regardless, playing the system like that kinda defeats the purpose of this challenge (help IPinfo with some GPS data/actual IP’s from the real world)
Unless they have some phone farms going on
So I don’t think any account with more than 20-30 cities can be too legit (unless you have a bunch of friends/family/colleagues) all over the world to run the app.
In my case, I asked some friends and family to install the app, send me their UUID, and open the app once or twice a day
To reach the thousands of IP’s submitted in my case, I have purchased a pixel phone + data plan (tier 1 provider), connected to power, and with a small automation I make it request a new IP from the cellular provider, the app then picks this up and transmits it. (make sure to get a provider that has a big pool of IP’s)
So I’m transmitting actual GPS data (if they even use this?) and actual IPs just with the help of some clever automation.
I’m a freelance cyber engineer, and I work with IPinfo at multiple customers, so I’m racing some of my colleagues for a pair of IPinfo socks
Yeah no idea how people got up to such numbers but I’m around 700 by doing exactly what CLN did. I don’t feel guilty about it either since all those IPs actually were really assigned. Thought of getting another SIM to add a third carrier but never got to do it because I was busy. Overall the hunt has been fun so far and can’t wait to put on socks that aren’t either white or a proxy.
Interestingly enough, the pixel 7a is twice as fast as an iPhone 13 at acquiring new cellular/connectivity, as the iPhone really needs it 12 seconds, the pixel can do it in (around) 7 seconds
again, you will probably need a “bigger” provider, I tried with some B-tier providers (eSIMs) and their pool is limited to 5~7 IP’s.
Thanks for the insight, that’s interesting! Intuitively I would have expected the IP to remain stable even across network disconnections (at-least for a few minutes/hours).
It’s awesome to see CLN.io here as well! Welcome!!
When you joined, I visited your website. I thought you would probably do some hacky automation tricks and it is really incredible to hear your story firsthand.
The situation we have in our hands is “tricky”. We have a strong belief that these are not proxies or VPNs that are getting submitted by the top users. It is something really unique. We audited our system and verified that the submissions were actually coming from server logs.
Before we started the event, we admitted that our users are in the smartest bracket of cybersecurity professionals and when we do an event, we are going to get played in some way. That is one of the reasons why we did a lottery instead of a leaderboard. A lottery based on submissions is the most fair system.
We are wondering how can some users have access to hundreds of thousands of IP addresses. Considering the sheer volume of IP addresses that these users are submitting we are kinda surprised. So, we are just sitting on the sidelines.
But please, don’t let the top few users discourage you in any way. Your participation is extremely valuable, and we just want to give away some merch because you use our service and this is a way to say “Thank you”.
The event is all about having fun and sharing some swags. If you submit your IPs, you have a chance to win. This is the first event we are doing, so, we are learning a ton here.
I don’t feel guilty about it either since all those IPs actually were really assigned.
It is all good. You should take advantage of your technical abilities.
I didn’t know carrier IP switching worked that way, to be honest. The IPs I used to test our event all came from WiFi hotspots. When we launched the event, we thought 90% of the users were going to visit coffee shops, and libraries to get the WiFi IP addresses. Hence the title “IP Hunt”.
But now, some folks are getting hotspot IP addresses, some people like you are doing automation for carrier IP switching, and then we have the top 3 users who are submitting thousands of IP addresses every day through some dark magic or something.
Overall the hunt has been fun so far and can’t wait to put on socks that aren’t either white or a proxy.
Oh geez the socks are white We will do the dark socks next time around. Hope you get the T-Shirts, though! Those are dark.
I wonder if the speed of this IP reacquisition varies by carrier, I have 3 phones dedicated to a similar process as we speak (AT&T, T-Mobile, and Verizon), but I’m not getting nearly the yield.
I agree with your statement about the “actual GPS data”, these are definitely real requests, even if merely executed quickly.
I’ve also spent quite a bit of time actually driving around and connecting to various hotspots and what not.
I also took advantage of my company’s firewalls to NAT my phone to of specific IPs, which allowed me to collect a couple hundred.
I do think more than 20-30 cities is possible if you exclusively use mobile carriers, but definitely not the thousands of cities we’re seeing from some. Definitely interesting.
I would’ve expected this to be the case as well but I know from my experience in monitoring corporate VPN connections that mobile carrier IPs tend to be incredibly volatile. A disconnection that lasts longer than 5 minutes is basically guaranteed to yield a new IP.
Very interesting, I am genuinely curious if any mobile carriers are noticing this pattern of rapid disconnection/reconnection from anyone involved in this hunt lol
We didn’t start the event with a plan to have a CTF of reverse engineering our production release app and submitting thousands of IP addresses. But I guess that is the direction we are going towards.
It was supposed to be like PokemonGO for IP addresses!!! How am I supposed to explain why we have hundreds of thousands of IP submissions with 250 users?
IP Summary Report of the Day 3’s submissions: IP Summarization Results of 19193 IPs - IPinfo.io
We will do the dark socks next time around. Hope you get the T-Shirts, though! Those are dark.
