Deutsche Bahn: "No general blocking of individual operating systems"

Deutsche Bahn appears to be excluding Linux computers from searching for connections on the bahn.de website in particular. At the latest, after a few clicks for further travel periods, an error page appears with the error code 751 and the description “your browser's behavior resembles that of a bot” – still on Thursday of this week. The railway company has now provided an explanation.

In response to a query from heise online, a spokesperson for Deutsche Bahn stated that there is no general blocking of individual operating systems: “In principle, both the bahn.de website and the DB Navigator can be used with Linux operating systems and less common browser/operating system combinations.” On the contrary, the railway company supports various systems.

However, to ensure the security of customers and to defend against automated attacks, the company relies on “modern security mechanisms” that “evaluate access behavior, network or IP address ranges, and technical specificities of the browser.” These are heuristically operating systems that orient themselves by clues and patterns to identify potential risks.

Deutsche Bahn: False alarms possible

False alarms (“false positives”) cannot be ruled out in rare cases with the detection mechanisms used, the spokesperson continued. Regular accesses could therefore “temporarily be incorrectly classified as suspicious and restricted.” Deutsche Bahn is working to improve the detection mechanisms and reduce false alarms. All cases known to the railway company have been evaluated. The findings are to be used continuously to improve the systems and adapt them to “real usage scenarios.”

One trigger for the use of such security mechanisms can be bots that systematically retrieve data on connections and, above all, delays. Such scraping has been around for a long time. The widespread availability of AI coding tools, with which even private hobbyists with little or no programming experience can build software that retrieves data from the railway company, is likely to result in many bot calls. If laypeople do not provide instructions to the AI, it often obtains the data resource-intensively by scraping the website.

However, there is an alternative: Deutsche Bahn provides many data via an open API. This now also allows querying planned and actual connection data again.

However, a quick test under Windows with the user agent changed to Linux in the web browser still shows the behavior that searching for a connection immediately triggers a bot warning. With a Windows user agent, however, the expected connection data appears. The problem therefore remains unsolved.

(dmk)