webhook-replay-storm
The same provider eventIds keep arriving: a provider misconfiguration or a replay attack. The gates held — the counter is what makes the storm visible.
A payment provider keeps re-sending the same notifications. Nothing double-posts — duplicates are dropped at three layers — but the flood itself means their config is broken or someone is replaying captured messages.
Source src/ops/detect.tssrc/ops/supervisor.tssrc/server.tssrc/webhooks.ts
Tier 3, report-only. The same provider eventIds keep arriving: a provider misconfiguration (acknowledgements not registering) or a replay attack. The gates held — every duplicate was dropped and no money moved twice — but the edge is burning work.
Symptoms
economy.webhook.duplicate counts at rate, tagged provider and layer. Provider dashboards
may show retry queues backing up on their side.
Detection
Sum of economy.webhook.duplicate over webhookReplayWindowMs (default 60s) reaches
webhookReplayThreshold (default 20). The finding tallies byProvider and byLayer.
Automatic response
detected plus a decided advisory once per window. There is nothing to remediate: dedup is
already doing its job at three layers.
Manual steps
- Read
byLayer— it localizes the leak:stale: deliveries with old timestamps; the provider is replaying an old queue, or clock skew exceedsREPLAY_WINDOW_MS.replay: fresh signatures, seen eventIds — the classic “provider never registered our 200” misconfiguration, or a replay attack with captured payloads.inbox: redeliveries getting past the edge gates to the inbox dedupe. With the edge verifying, this should be rare — investigate how.
- One provider dominating
byProvider: check its webhook endpoint config and delivery logs; confirm the 200 acknowledgements are reaching it. - If the signatures on the duplicates are valid but the volume looks adversarial, rotate
WEBHOOK_SECRETwith the provider — a valid-signature replay storm means the payloads (or the secret) leaked.
Escalation
Provider-side misconfiguration: their support, with eventIds and timestamps. Suspected attack: security, with the raw delivery log — the money is safe, but the secret may not be.