Deutsche Bahn's Linux Lockout: When Bot Detection Goes Wrong
For users of the Linux operating system, booking a train ticket through Deutsche Bahn (DB) has recently become an exercise in frustration. In a move that highlights the pitfalls of rigid automated security, the German railway company's website has begun blocking access to its connection search and booking tools for users whose browsers identify as running on Linux.
This issue has sparked significant discussion within the tech community, illustrating how simplistic bot-detection mechanisms can inadvertently alienate a legitimate segment of the user base.
The "Bot" Error: Error Code 751
Reports from users on platforms like Reddit and the editorial team at heise online indicate that Linux users are being met with a specific error message when attempting to search for connections. The error page displays Error Code 751, accompanied by the plain text warning:
"We are sorry, an error occurred during this process. Your browser's behavior resembles that of a bot."
Interestingly, the lockout is not universal across the entire site. While the homepage (bahn.de) remains accessible, the error typically triggers the moment a user initiates a request for a connection search. Some users report the error appearing immediately, while others only encounter it after several attempts.
The Root Cause: User-Agent Filtering
Technical analysis reveals that the block is not based on IP addresses or complex behavioral analysis, but rather on a simple check of the browser's User-Agent (UA) string. The User-Agent is a piece of information sent by the browser to the server to identify the operating system and browser version.
Tests conducted by heise online confirmed that the block is specifically tied to the presence of the word "Linux" in the UA string. The results were consistent across different browsers:
- Firefox on Windows 11: If the User-Agent is manually changed to include "Linux," the website triggers the bot error.
- Chrome on Linux: Despite being a mainstream browser, Chrome users are blocked if the UA string identifies the OS as Linux.
- Safari on macOS: The block can even be provoked on macOS by spoofing a Linux User-Agent.
Essentially, if the server sees "Linux" in the identifier, it assumes the request is coming from a bot, regardless of the actual browser or behavior.
Workarounds for Affected Users
For those currently unable to book tickets, the solution is to "spoof" the User-Agent to make the browser appear as if it is running on Windows.
In Firefox, this can be achieved via the following steps:
- Type
about:configin the address bar and accept the risk. - Search for
general.useragent.override. - Create a new string entry with a Windows-based User-Agent identifier.
Once the identifier is changed from "Linux" to "Windows," access to the booking system is restored immediately.
Analysis: The Danger of "Vibe Coding" Security
While Deutsche Bahn has not yet provided an official explanation for the behavior, the community has speculated on how such a blunt instrument of security could be implemented. One Hacker News commenter suggested that this might be the result of "vibe coding"—using LLMs to generate security patches without deep architectural oversight.
"Someone vibe coded an attempt at improving security, and their LLM recommended limiting the User Agent string to some number of the top 10 agents. Voila - no Linux."
Whether the result of an LLM suggestion or a legacy security rule, the outcome is the same: a failure to recognize that a significant portion of the technical population uses Linux. By treating an entire operating system as a proxy for "bot-like behavior," DB has created a security measure that provides little actual protection (since real bots can easily spoof User-Agents) while actively harming the user experience for legitimate customers.
This incident serves as a reminder that security should be based on behavior and intent, not on the superficial identifiers provided by the client.