Loading Profile...
ip spoofing bug in Rails makes pivotaltracker.com return 500 Internal Server Error
Hi,
If you look into your production logs, you'll have a lot of 500 Internal Server Error from the my IP 80.58.205.53
I experiment with pivotaltracker.com/ the same problem I had with diigo.com, a social bookmark on Rails.
It seems that my internet connection at work - telefonica from Barcelona, Spain- is forwarding the HTTP request and Rails interprets the request as it was an
"IP spoofing attack"
I haven't been able to reproduce the problem, neither write some tests, hence I don't understand it completely :-( Oddly, enough, https requests work but anything in http do not ....
Bellow, you'll find a traceroute, the emails exchanged with diigo until they fixed the problem.
Here is the patch they used:
module ActionController
class AbstractRequest
def remote_ip
if TRUSTED_PROXIES !~ @env['REMOTE_ADDR']
return @env['REMOTE_ADDR']
end
if @env.include? 'HTTP_CLIENT_IP'
# if @env.include? 'HTTP_X_FORWARDED_FOR'
# # We don't know which came from the proxy, and which from the user
# raise ActionControllerError.new(<<eom> 1 && TRUSTED_PROXIES =~ remote_ips.last.strip
remote_ips.pop
end
return remote_ips.last.strip
end
@env['REMOTE_ADDR']
end
end
end
Hope it'll help,
JM
traceroute pivotaltracker.com
traceroute to pivotaltracker.com (65.74.177.139), 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 1.942 ms 2.496 ms 10.019 ms
2 192.168.153.1 (192.168.153.1) 42.299 ms 44.462 ms 48.581 ms
3 83.Red-80-58-34.staticIP.rima-tde.net (80.58.34.83) 55.051 ms 58.179 ms 62.247 ms
4 So-3-0-0-0-grtbcntb1.red.telefonica-wholesale.net.9.16.84.in-addr.arpa (84.16.9.245) 67.076 ms 69.642 ms 73.271 ms
5 So2-1-0-0-grtparix3.red.telefonica-wholesale.net (213.140.36.202) 96.266 ms 98.677 ms 102.597 ms
6 te-3-3.car1.Paris1.Level3.net (212.73.207.45) 109.261 ms te-4-1.car1.Paris1.Level3.net (212.73.207.69) 84.144 ms te-7-3.car1.Paris1.Level3.net (212.73.207.97) 138.045 ms
7 ae-32-52.ebr2.Paris1.Level3.net (4.68.109.62) 150.249 ms 151.818 ms 152.351 ms
8 ae-44.ebr2.Washington1.Level3.net (4.69.137.62) 241.837 ms ae-43.ebr2.Washington1.Level3.net (4.69.137.58) 240.114 ms ae-41.ebr2.Washington1.Level3.net (4.69.137.50) 259.438 ms
9 ae-62-62.csw1.Washington1.Level3.net (4.69.134.146) 260.033 ms ae-72-72.csw2.Washington1.Level3.net (4.69.134.150) 261.209 ms ae-62-62.csw1.Washington1.Level3.net (4.69.134.146) 260.605 ms
10 ae-84-84.ebr4.Washington1.Level3.net (4.69.134.185) 272.880 ms ae-94-94.ebr4.Washington1.Level3.net (4.69.134.189) 278.042 ms ae-64-64.ebr4.Washington1.Level3.net (4.69.134.177) 276.750 ms
11 ae-3.ebr4.NewYork1.Level3.net (4.69.132.94) 277.376 ms 294.685 ms 299.577 ms
12 ae-2.ebr4.SanJose1.Level3.net (4.69.135.185) 480.107 ms 495.983 ms 496.557 ms
13 ae-74-74.csw2.SanJose1.Level3.net (4.69.134.246) 500.128 ms 224.102 ms ae-94-94.csw4.SanJose1.Level3.net (4.69.134.254) 218.197 ms
14 ae-61-61.ebr1.SanJose1.Level3.net (4.69.134.193) 213.984 ms ae-81-81.ebr1.SanJose1.Level3.net (4.69.134.201) 228.485 ms ae-71-71.ebr1.SanJose1.Level3.net (4.69.134.197) 234.172 ms
15 ae-4-4.car2.Sacramento1.Level3.net (4.69.132.157) 242.832 ms 243.477 ms 244.800 ms
16 ae-11-11.car1.Sacramento1.Level3.net (4.69.132.149) 251.427 ms 261.191 ms 260.420 ms
17 SUREWEST-CO.car1.Sacramento1.Level3.net (64.158.144.2) 263.631 ms 214.342 ms 217.927 ms
18 246.98-30-64.ftth.swbr.surewest.net (64.30.98.246) 223.704 ms 230.192 ms 233.755 ms
19 207.183.253.29 (207.183.253.29) 236.208 ms 237.883 ms 245.458 ms
20 207.231.64.34 (207.231.64.34) 248.219 ms 248.765 ms 257.266 ms
21 ge1-1.vrrp-e-uds7-8-sacca.heraklesdata.net (65.74.128.14) 257.873 ms 264.664 ms 267.903 ms
22 245.157.74.65.static.heraklesdata.net (65.74.157.245) 271.855 ms 272.517 ms 320.782 ms
23 139.177.74.65.static.xc88.engineyard.com (65.74.177.139) 316.233 ms 323.610 ms 321.257 ms
The emails I exchanged with diigo before they solve the problem
---------- Forwarded message ----------
From: Joel diigo.com>
Date: Tue, Sep 9, 2008 at 12:26 PM
Subject: Re: diigo.com is down ...
2.1.0. Y we right the patch ourselves and I heard that the problem was fixed in Rails 2.1.1.
On Tue, Sep 9, 2008 at 6:19 PM, Jean-Michel wrote:
Cheers, what version of Rails are you running? Did you write a patch yourself ? Did you write a test to fix Rails?
I just upgraded to Rails 2.1.1
Thanks for all the info, feel free to reply to my questions only if you have time
---------- Forwarded message ----------
From: Joel
Date: Tue, Sep 9, 2008 at 11:42 AM
Subject: Re: diigo.com is down ...
To: Jean-Michel
Y. We use RoR :).
It's an "IP spoofing attack" which make Rails to raise errors (before calling our app code).
/!\ FAILSAFE /!\ Mon Sep 08 23:39:45 +0000 2008
Status: 500 Internal Server Error
IP spoofing attack?!
HTTP_CLIENT_IP="74.6.21.254"
HTTP_X_FORWARDED_FOR="74.6.21.254, 74.6.17.185"
You can require the patch file in (application.rb) to avoid the problem.
On Tue, Sep 9, 2008 at 4:11 PM, Jean-Michel wrote:
Bingo!!! Woohoo! It works :-) You guys rock.
I suspect you are using Ruby on Rails, aren't you? and my HTTP request had something weird which somehow trhow an Exception ...
It happenned the same thing with many other sites on Rails, like https://www.pivotaltracker.com
Cheers,
JM
If you look into your production logs, you'll have a lot of 500 Internal Server Error from the my IP 80.58.205.53
I experiment with pivotaltracker.com/ the same problem I had with diigo.com, a social bookmark on Rails.
It seems that my internet connection at work - telefonica from Barcelona, Spain- is forwarding the HTTP request and Rails interprets the request as it was an
"IP spoofing attack"
I haven't been able to reproduce the problem, neither write some tests, hence I don't understand it completely :-( Oddly, enough, https requests work but anything in http do not ....
Bellow, you'll find a traceroute, the emails exchanged with diigo until they fixed the problem.
Here is the patch they used:
module ActionController
class AbstractRequest
def remote_ip
if TRUSTED_PROXIES !~ @env['REMOTE_ADDR']
return @env['REMOTE_ADDR']
end
if @env.include? 'HTTP_CLIENT_IP'
# if @env.include? 'HTTP_X_FORWARDED_FOR'
# # We don't know which came from the proxy, and which from the user
# raise ActionControllerError.new(<<eom> 1 && TRUSTED_PROXIES =~ remote_ips.last.strip
remote_ips.pop
end
return remote_ips.last.strip
end
@env['REMOTE_ADDR']
end
end
end
Hope it'll help,
JM
traceroute pivotaltracker.com
traceroute to pivotaltracker.com (65.74.177.139), 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 1.942 ms 2.496 ms 10.019 ms
2 192.168.153.1 (192.168.153.1) 42.299 ms 44.462 ms 48.581 ms
3 83.Red-80-58-34.staticIP.rima-tde.net (80.58.34.83) 55.051 ms 58.179 ms 62.247 ms
4 So-3-0-0-0-grtbcntb1.red.telefonica-wholesale.net.9.16.84.in-addr.arpa (84.16.9.245) 67.076 ms 69.642 ms 73.271 ms
5 So2-1-0-0-grtparix3.red.telefonica-wholesale.net (213.140.36.202) 96.266 ms 98.677 ms 102.597 ms
6 te-3-3.car1.Paris1.Level3.net (212.73.207.45) 109.261 ms te-4-1.car1.Paris1.Level3.net (212.73.207.69) 84.144 ms te-7-3.car1.Paris1.Level3.net (212.73.207.97) 138.045 ms
7 ae-32-52.ebr2.Paris1.Level3.net (4.68.109.62) 150.249 ms 151.818 ms 152.351 ms
8 ae-44.ebr2.Washington1.Level3.net (4.69.137.62) 241.837 ms ae-43.ebr2.Washington1.Level3.net (4.69.137.58) 240.114 ms ae-41.ebr2.Washington1.Level3.net (4.69.137.50) 259.438 ms
9 ae-62-62.csw1.Washington1.Level3.net (4.69.134.146) 260.033 ms ae-72-72.csw2.Washington1.Level3.net (4.69.134.150) 261.209 ms ae-62-62.csw1.Washington1.Level3.net (4.69.134.146) 260.605 ms
10 ae-84-84.ebr4.Washington1.Level3.net (4.69.134.185) 272.880 ms ae-94-94.ebr4.Washington1.Level3.net (4.69.134.189) 278.042 ms ae-64-64.ebr4.Washington1.Level3.net (4.69.134.177) 276.750 ms
11 ae-3.ebr4.NewYork1.Level3.net (4.69.132.94) 277.376 ms 294.685 ms 299.577 ms
12 ae-2.ebr4.SanJose1.Level3.net (4.69.135.185) 480.107 ms 495.983 ms 496.557 ms
13 ae-74-74.csw2.SanJose1.Level3.net (4.69.134.246) 500.128 ms 224.102 ms ae-94-94.csw4.SanJose1.Level3.net (4.69.134.254) 218.197 ms
14 ae-61-61.ebr1.SanJose1.Level3.net (4.69.134.193) 213.984 ms ae-81-81.ebr1.SanJose1.Level3.net (4.69.134.201) 228.485 ms ae-71-71.ebr1.SanJose1.Level3.net (4.69.134.197) 234.172 ms
15 ae-4-4.car2.Sacramento1.Level3.net (4.69.132.157) 242.832 ms 243.477 ms 244.800 ms
16 ae-11-11.car1.Sacramento1.Level3.net (4.69.132.149) 251.427 ms 261.191 ms 260.420 ms
17 SUREWEST-CO.car1.Sacramento1.Level3.net (64.158.144.2) 263.631 ms 214.342 ms 217.927 ms
18 246.98-30-64.ftth.swbr.surewest.net (64.30.98.246) 223.704 ms 230.192 ms 233.755 ms
19 207.183.253.29 (207.183.253.29) 236.208 ms 237.883 ms 245.458 ms
20 207.231.64.34 (207.231.64.34) 248.219 ms 248.765 ms 257.266 ms
21 ge1-1.vrrp-e-uds7-8-sacca.heraklesdata.net (65.74.128.14) 257.873 ms 264.664 ms 267.903 ms
22 245.157.74.65.static.heraklesdata.net (65.74.157.245) 271.855 ms 272.517 ms 320.782 ms
23 139.177.74.65.static.xc88.engineyard.com (65.74.177.139) 316.233 ms 323.610 ms 321.257 ms
The emails I exchanged with diigo before they solve the problem
---------- Forwarded message ----------
From: Joel diigo.com>
Date: Tue, Sep 9, 2008 at 12:26 PM
Subject: Re: diigo.com is down ...
2.1.0. Y we right the patch ourselves and I heard that the problem was fixed in Rails 2.1.1.
On Tue, Sep 9, 2008 at 6:19 PM, Jean-Michel wrote:
Cheers, what version of Rails are you running? Did you write a patch yourself ? Did you write a test to fix Rails?
I just upgraded to Rails 2.1.1
Thanks for all the info, feel free to reply to my questions only if you have time
---------- Forwarded message ----------
From: Joel
Date: Tue, Sep 9, 2008 at 11:42 AM
Subject: Re: diigo.com is down ...
To: Jean-Michel
Y. We use RoR :).
It's an "IP spoofing attack" which make Rails to raise errors (before calling our app code).
/!\ FAILSAFE /!\ Mon Sep 08 23:39:45 +0000 2008
Status: 500 Internal Server Error
IP spoofing attack?!
HTTP_CLIENT_IP="74.6.21.254"
HTTP_X_FORWARDED_FOR="74.6.21.254, 74.6.17.185"
You can require the patch file in (application.rb) to avoid the problem.
On Tue, Sep 9, 2008 at 4:11 PM, Jean-Michel wrote:
Bingo!!! Woohoo! It works :-) You guys rock.
I suspect you are using Ruby on Rails, aren't you? and my HTTP request had something weird which somehow trhow an Exception ...
It happenned the same thing with many other sites on Rails, like https://www.pivotaltracker.com
Cheers,
JM
I’m unsure
1
person has this problem
I have this problem, too!
Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.
The more people who report this problem, the more it gets noticed.
The company marked this problem solved.
-
Inappropriate?Thanks letting us know and providing us so much information.
Mark
EMPLOYEE
