Require X-Forwarded-For (or a similar header) for verification requests to address DDOS issue

[npdoty]

I think the spec should say that, when a receiver makes a verification request, it MUST include such a header, in order to mitigate abuse. The value should be set to the sender's IP address.

It looks like Akismet/WordPress settled on X-Pingback-Forwarded-For, but I think X-Forwarded-For is sufficient and has the right semantics. (We don't need X-whatever-Forwarded-For for every different type of pingback/linkback/etc., right? They're all doing the same thing.)

A little more detail on the indiewebcamp wiki.

[ePirat]

That header is actually used for reverse proxying i.e. with nginx and set by the server to the correct originating IP address so this would conflict with that, as just blindly trusting a value that the requesting client can set is not a good idea.
Actually I dont see a huge benefit having an additional header specifying the senders IP address as the webserver usually can determine that, maybe you can clarify what the usecase would be?

[npdoty]

The purported source server typically won't be able to identify the sender's IP address (unless we add a header requirement). Any sender can tell a receiver that a webmention is present and prompt them to issue a request to the purported source server (which the receiver does as part of the webmention verification process); the spec does not require or even expect that the source and the sender will be the same IP address. If the purported source server can't see which of those requests are actually prompted by the same sender, then they can't effectively filter out distributed denial of service requests. We've seen this happen in widescale abuse in the case of Pingback.

If there are cases where X-Forwarded-For would already be filled in by internal servers, then we could use X-Pingback-Forwarded-For, which Akismet/WordPress are actively using to mitigate against this attack. But without including the sender IP address in some header, this will become a trivial way to distribute denial of service attacks which would otherwise be obviously from a single IP address and easily mitigated.

[aaronpk]

the spec does not require or even expect that the source and the sender will be the same IP address

This is a feature, not a bug. This allows separate systems to send webmentions on behalf of a website, for example so that a separate server can send webmentions for websites hosted statically on Github Pages or Amazon S3.

[npdoty]

@aaronpk agreed, I love this feature! I was just noting that such a requirement didn't exist, which meant that the source IP address isn't intended to be an indicator of the sender IP address, which is why we need to include the sender IP address to facilitate DDoS mitigation (and can't just look up the source IP address to identify abuse).

[aaronpk]

I guess I don't see how this helps at all, can you explain further? What does the receiver do with the reported IP address? What happens if someone sends a webmention with a spoofed IP address in the header?

[npdoty]

Does the wiki page help explain? http://indiewebcamp.com/DDOS#Forward_originating_IP_address
If not, I can expand further here, but I'm struggling a little with saying the same thing in all the different discussions, so I'm not sure how to describe it more effectively.

X-Forwarded-For wouldn't be sent/spoofed by the attacker, but by the recipient, who is making a verification request to the purported source site. The attacker can send many different recipients notices of a webmention and thus get them all to send traffic to the same purported source site. This distributes the Denial of Service attack into many different IP addresses, from an attacker using a single IP address. If all those recipients use X-Forwarded-For (or similar) header, then the attack can be identified and filtered out. It is the same threat model and solution used for Pingback, as deployed by Akismet and WordPress.

[aaronpk]

Okay I see, that makes sense now. I think this description would need to be rephrased again slightly to make it more obvious what the purpose is and how it should be used on the receiving end before it would end up in the Webmention spec.

I definitely agree that X-Forwarded-For is not an appropriate header, since that is often used by nginx and apache in proxy mode to indicate the external requester's IP address. I actually don't think "forward" is a good term to use for this either.