Many years ago, some person misconfigured their squid proxy and was hitting https://jsonip.com to the point my server at the time was turning green in the gills.
I started responding with 418 "You are a tea kettle" or something like that to those specific requests. The originating dev actually paid attention to their error messages and quickly resolved their config issue.
Fast forward to March this year. Some fucking numb nuts a-hole decided to add jsonip.com to an EXTREMELY widely used version of Dalvik/Android software that gets deployed to hundreds of thousands or millions of devices.
Overnight my traffic levels increased by 300%. I'm a solo dev offering a free service for 12 years. That kind of increase in traffic costs me money I've never had to plan for.
I ended up switching to Cloudeflare to handle the load with a WAF filter on the offending android tvs and other devices.
However Cloudflare doesn't properly route ipv4 address because "ipv6 is cool so we only do that" or something. Despite numerous support requests, that's still shmaybe an enterprise level feature.
I apologize to any long time users of the service. This was completely unexpected after more than a decade. I've been trying different "fixes" for 2 months and have not resolved a way to block this garbage traffic and still provide the original services.
Yea sorry I turned this funny old internet post about the mit coffee pot into a thing happening to me.
But if for some ungodly reason you're the dev or know who did it, REMOVE MY SERVICE ADDRESS FROM YOUR OUT OF DATE FROM TV/SMART DEVICE ANDROID code. You're literally fucking killing me. I've literally spend dozens of hours trying to find out if this was a contribution to a public source repo. Nothing.
Based on the Dalvik user agent, I only found a handful of references in Chinese repos. But google search is so terrible these days, even those are false flags.
So I have no idea who to contact about this. Some dipshit on your team(s) decided to abuse a free service as though there isn't a single human person behind it absorbing the costs and making sure it runs.
Could you start returning wrong answers, "country":"TW" should do it.
We had to deal with image scrapers who didn't respond to requests to stop, even if we provided an API service. I configured nginx to just serve them images of a beaver and a few 1GB junk files, they stopped pretty quickly.
Wikipedia had a similar situation with a single flower image being requested so many times.
I can't find the story and don't remember it well, but I think it was a big indian company using this image to check if internet was available.
IMHO, one of the problems is that many dev. don't realize both the size of their company and the impact of so many requests.
I hop you'll find a solution, and thank you for your service!
PS: maybe you should create a dedicated post about this subject to attract visibility
That’s typically why it’s a good idea to include a crappy “generate API” key button so you can block traffic like this, you don’t even need a registration process - someone can just email with reference to their API key to discuss their issues.
Sorry but I laughed aloud at all the swearing! But yes, I empathise complelely with your situation. People abusing someone else's free service really gets my goat. I hope this situation is resolved soon.
I do agree with one of the other comments - returning something about Taiwan or Tiannenmen square may do the trick
“However Cloudflare doesn't properly route ipv4 address because "ipv6 is cool so we only do that" or something. Despite numerous support requests, that's still shmaybe an enterprise level feature.”
jgc@cloudflare.com if you can share your interactions with us.
We see your exact Dalvik problem on deepl.com as well. We get a constant flood of those requests, sometimes subsiding. They are globally distributed, preliminary in lower-income countries. We have tried lots of things, like letting them just time out, returning different errors, redirecting of many sorts including Android intents, no solution. They now made it to our permanent blocklist and we just deal with the useless additional traffic.
We are still hyper curious what on earth is loading us and for what reason though. AFAIK we couldn't see translation requests from them, just loading our website.
1. Check your competitors who return json and see if they have a Location header 301'ing or 302'ing all their traffic to your service (if the client follows redirects).
2. Reverse dns lookup your origin ips and see if anyone has a domain's dns pointed at your service. Check the Host header on your end and make sure it's your domain as well as ensure your web server and/or proxy are not blindly accepting traffic for `*`/any host, and make sure it's serving only your host
3. Ip address headers can be spoofed. It might not be coming from where you think it's coming from
> However Cloudflare doesn't properly ... Despite numerous support requests, that's still shmaybe an enterprise level feature.
This matches my experience. I'd use the CF free plan assuming no guarantees for a low risk site like my personal site, and I'd use the expensive enterprise plan where I'm paying individually for features and quota, but I'd never use the middle-ground "sure it's unlimited!" plan – it's far too vague about what it _actually_ provides.
Going further with jsonip Plus
With the upcoming Plus service, you get special features and
even more information about your users.
- All of the free service features
- IP geo location - Country and city to within best available accuracy
- ISP Info
- Time zone data
- Full referer data
- Browser and OS info
A paid service has been "upcoming" since at least August 2020, which would subsidize the free tier usage you allow on your site. Aside from the ISP and geo data, everything else is given to you in the request headers or can be determined with the ip address (geo can get tz).
If it's costing you money, shipping the Plus features might offset your out of pocket expenses.
This is a failure of growth/capacity planning and lack of a proper TOS that clarifies "unlimited within reason and at our sole discretion with no SLA or warranty of any kind for non-paying users", as well as failure to ship any monetizing features 3 years after announcing it.
Contacting them to have them stop wouldn't solve your problems. What happens when the next million devices get random updates from literally anybody that starts doing it again? Try to implement rate limiting, optimize your hot code paths, watch out for slow clients (buffered reverse proxies), needless header parsing, slow template rendering, etc. Any language capable of concurrency should be able to handle 100s of thousands of requests on a cheap vm. The client ip is coming to you in the request headers and all you do is print it back to them... A go handler would be a few lines of code to do this and that's including dealing with reverse proxy real-ip type stuff. You don't need to allocate an actual struct and serialize into a json object, just printf a hardcoded string with a replacement for the ip from the header, or better yet benchmark the fastest solution.
I hate to add to your headache, but multiple pihole ad blacklists contain your domain. It looks like https://winhelp2002.mvps.org/ may be the original source of the blacklisting.
No, sorry this is 100% on you. You should have implemented throttling, and daily query limits. Once you put something on the internet for free, you can't complain then if people are using it.
I honestly use this a lot when I'm testing, because it's basically the only response that can show up where I know god damned well that it's only happening because I programmed it to happen under certain conditions.
edit: a common one for me is that if any test passes a post request without a csrf token... sorry, I'm a teapot, because I forgot to add a csrf token to that form.
I like to respond with 418 as the catch all response code for mock web services for requests that dont match any installed expected requests. The reasoning is sometimes 404 is a valid mock response for some test cases, so I needed the "404 for mocks" that would never appear on any legit service. Very clearly highlights when something is going wrong on a test.
Every time this pops up, I'm reminded of the day that the NPM registry started returning 418 responses for users accessing it via corporate HTTP proxies.
I remember being at a training course that day and my manager asking me what we could do to fix it because our CI was failing to pull dependencies from NPM.
Trying to explain that NPM was returning a status code intended as an April Fools joke and which was never meant to see the light of production was quite difficult
Perhaps I can fix a lot of things but debugging a response code that isn't meant to exist is not one of them.
I think there should be a "555 Bad Timer" error for when servers can't keep up or are running slow. Like a "429 Too Many Requests" error but it's the server's fault.
Found this while scouring this list of HTTP status codes, because I wanted to make sure I was giving appropriate responses in this web API I'm developing.
There is no shortage of numbers. I wonder if it would make sense for every web-server ot have its own status-code if up and running? Of course they would have to be registered somewhere.
The whole point of protocols is to get the same results on the same situation regardless of server implementation. What could possibly be gained by returning intentionally different error codes?
This has nothing to do with servers though. It's in context to the requested resource. If you want to check if a server is alive it's happening several layers below an HTTP request.
As an SRE, please don’t use this for internal tools to be cute. It’s not helpful, and in 5 years time when you’re long gone and something breaks at 2am, it’s incredibly frustrating.
geuis|2 years ago
I started responding with 418 "You are a tea kettle" or something like that to those specific requests. The originating dev actually paid attention to their error messages and quickly resolved their config issue.
Fast forward to March this year. Some fucking numb nuts a-hole decided to add jsonip.com to an EXTREMELY widely used version of Dalvik/Android software that gets deployed to hundreds of thousands or millions of devices.
Overnight my traffic levels increased by 300%. I'm a solo dev offering a free service for 12 years. That kind of increase in traffic costs me money I've never had to plan for.
I ended up switching to Cloudeflare to handle the load with a WAF filter on the offending android tvs and other devices.
However Cloudflare doesn't properly route ipv4 address because "ipv6 is cool so we only do that" or something. Despite numerous support requests, that's still shmaybe an enterprise level feature.
I apologize to any long time users of the service. This was completely unexpected after more than a decade. I've been trying different "fixes" for 2 months and have not resolved a way to block this garbage traffic and still provide the original services.
Yea sorry I turned this funny old internet post about the mit coffee pot into a thing happening to me.
But if for some ungodly reason you're the dev or know who did it, REMOVE MY SERVICE ADDRESS FROM YOUR OUT OF DATE FROM TV/SMART DEVICE ANDROID code. You're literally fucking killing me. I've literally spend dozens of hours trying to find out if this was a contribution to a public source repo. Nothing.
Based on the Dalvik user agent, I only found a handful of references in Chinese repos. But google search is so terrible these days, even those are false flags.
So I have no idea who to contact about this. Some dipshit on your team(s) decided to abuse a free service as though there isn't a single human person behind it absorbing the costs and making sure it runs.
mrweasel|2 years ago
We had to deal with image scrapers who didn't respond to requests to stop, even if we provided an API service. I configured nginx to just serve them images of a beaver and a few 1GB junk files, they stopped pretty quickly.
dannyw|2 years ago
> Supports unlimited requests and is free.
Maybe update that text? There is no guidance on acceptable thresholds, rate limits, etc.
n0n0n4t0r|2 years ago
IMHO, one of the problems is that many dev. don't realize both the size of their company and the impact of so many requests.
I hop you'll find a solution, and thank you for your service!
PS: maybe you should create a dedicated post about this subject to attract visibility
Mandatum|2 years ago
ransackdev|2 years ago
Fyi, dns can be used to obtain public ip from large companies, without the overhead of tcp and http
dig +short txt ch whoami.cloudflare @1.0.0.1
dig +short txt o-o.myaddr.l.google.com @ns1.google.com
dig +short myip.opendns.com @resolver1.opendns.com
ozr|2 years ago
gnfargbl|2 years ago
Take a look at https://major.io/2021/06/06/a-new-future-for-icanhazip/, if you haven't seen it already.
pkphilip|2 years ago
I do agree with one of the other comments - returning something about Taiwan or Tiannenmen square may do the trick
jgrahamc|2 years ago
“However Cloudflare doesn't properly route ipv4 address because "ipv6 is cool so we only do that" or something. Despite numerous support requests, that's still shmaybe an enterprise level feature.”
jgc@cloudflare.com if you can share your interactions with us.
timbuchwaldt|2 years ago
ransackdev|2 years ago
1. Check your competitors who return json and see if they have a Location header 301'ing or 302'ing all their traffic to your service (if the client follows redirects).
2. Reverse dns lookup your origin ips and see if anyone has a domain's dns pointed at your service. Check the Host header on your end and make sure it's your domain as well as ensure your web server and/or proxy are not blindly accepting traffic for `*`/any host, and make sure it's serving only your host
3. Ip address headers can be spoofed. It might not be coming from where you think it's coming from
danpalmer|2 years ago
This matches my experience. I'd use the CF free plan assuming no guarantees for a low risk site like my personal site, and I'd use the expensive enterprise plan where I'm paying individually for features and quota, but I'd never use the middle-ground "sure it's unlimited!" plan – it's far too vague about what it _actually_ provides.
ransackdev|2 years ago
https://getjsonip.com/#plus
https://web.archive.org/web/20200811215649/https://getjsonip...A paid service has been "upcoming" since at least August 2020, which would subsidize the free tier usage you allow on your site. Aside from the ISP and geo data, everything else is given to you in the request headers or can be determined with the ip address (geo can get tz).
If it's costing you money, shipping the Plus features might offset your out of pocket expenses.
This is a failure of growth/capacity planning and lack of a proper TOS that clarifies "unlimited within reason and at our sole discretion with no SLA or warranty of any kind for non-paying users", as well as failure to ship any monetizing features 3 years after announcing it.
Contacting them to have them stop wouldn't solve your problems. What happens when the next million devices get random updates from literally anybody that starts doing it again? Try to implement rate limiting, optimize your hot code paths, watch out for slow clients (buffered reverse proxies), needless header parsing, slow template rendering, etc. Any language capable of concurrency should be able to handle 100s of thousands of requests on a cheap vm. The client ip is coming to you in the request headers and all you do is print it back to them... A go handler would be a few lines of code to do this and that's including dealing with reverse proxy real-ip type stuff. You don't need to allocate an actual struct and serialize into a json object, just printf a hardcoded string with a replacement for the ip from the header, or better yet benchmark the fastest solution.
I'll do it for you, I'm looking for a job ;)
Dalewyn|2 years ago
Obligatory https://xkcd.com/2347/
RobotToaster|2 years ago
takenpilot|2 years ago
Neat!
christiangenco|2 years ago
netsharc|2 years ago
Literally being killed? Call the police!!!11
megablast|2 years ago
Wow, that's crazy.
ricardobayes|2 years ago
scoofy|2 years ago
edit: a common one for me is that if any test passes a post request without a csrf token... sorry, I'm a teapot, because I forgot to add a csrf token to that form.
EdSharkey|2 years ago
duxup|2 years ago
It’s just my general “something particularly odd has happened” response.
JimDabell|2 years ago
derbOac|2 years ago
https://httpcats.com/
noman-land|2 years ago
steanne|2 years ago
https://http.dog/418
moffkalast|2 years ago
Is this the one that gets sent if the server temperature rises above 80 deg?
aledalgrande|2 years ago
spondyl|2 years ago
I remember being at a training course that day and my manager asking me what we could do to fix it because our CI was failing to pull dependencies from NPM.
Trying to explain that NPM was returning a status code intended as an April Fools joke and which was never meant to see the light of production was quite difficult
Perhaps I can fix a lot of things but debugging a response code that isn't meant to exist is not one of them.
https://github.com/npm/npm/issues/20791
portsnadaptors|2 years ago
palebluedot|2 years ago
https://search.censys.io/search?resource=hosts&q=services.ht...
perilunar|2 years ago
News-Dog|2 years ago
I'm looking forward to the extended protocol Sugar bowl.. A parody of 'I'm a Little Teapot' : https://en.wikipedia.org/wiki/I'm_a_Little_Teapot
'I'm a little teapot short and stout... here is my handle... here is my handle... Oh fv<k!, I'm a sugar bowl'
astrea|2 years ago
dclowd9901|2 years ago
deceptionatd|2 years ago
http://www.gnuterrypratchett.com/
aledalgrande|2 years ago
Protect the code!
sva_|2 years ago
Tcepsa|2 years ago
eyelidlessness|2 years ago
SirAllCaps|2 years ago
anonymousiam|2 years ago
nonethewiser|2 years ago
buggy6257|2 years ago
https://github.com/3digitdev/Haiku-TTP-Codes
Doesn’t have any for 418 yet though… a PR may be in order!
egypturnash|2 years ago
pugworthy|2 years ago
renewiltord|2 years ago
cortesoft|2 years ago
IChooseY0u|2 years ago
booi|2 years ago
pabs3|2 years ago
nyolfen|2 years ago
ChrisMarshallNY|2 years ago
I also return a teapot emoji as the response body.
https://emojipedia.org/teapot/
unknown|2 years ago
[deleted]
plutaniano|2 years ago
Building integrations for duct-taped legacy systems in finance is fun.
replygirl|2 years ago
Aeolun|2 years ago
dutchbrit|2 years ago
Scalene2|2 years ago
noman-land|2 years ago
justblue|2 years ago
[deleted]
galaxyLogic|2 years ago
tsimionescu|2 years ago
notatoad|2 years ago
ceejayoz|2 years ago
skeeter2020|2 years ago
mrmincent|2 years ago