ActionDispatch::RemoteIp::IpSpoofAttackError exception

I am running Rails 3.2.21 on Heroku and yesterday I started seeing a low occurrence exceptions with this signature:

ActionDispatch::RemoteIp::IpSpoofAttackError: IP spoofing attack?!HTTP_CLIENT_IP=""HTTP_X_FORWARDED_FOR=","

here is the full stacktrace:

Heroku says this is a "false positive" and suggested I turn this off in m app config:

config.action_dispatch.ip_spoofing_check = false

However, they are unable to explain why we've been running for 2 months on their platform until yesterday without this popping up, and yesterday was the first occurrence of it.

any ideas?