latest stable versions: v150827 (changelog)

Old Forums (READ-ONLY): The community now lives at WP Sharks™. If you have an s2Member® Pro question, please use our new Support System.

Authorize.Net connectivity issue

Home Forums Community Forum Authorize.Net connectivity issue

This topic contains 9 replies, has 3 voices. Last updated by  TJ 3 years, 5 months ago.

Topic Author Topic
Posted: Sunday Aug 4th, 2013 at 8:38 pm #55171
TJ
Username: wellwater

Hi,

I’ve been having a few strange issues with my server today. It went down 3 times, which my host attributed to a ddos attack on another site on the same switch. During my conversations with the host, they mentioned the following IP has been blocked since yesterday around 11:58pm:

66.185.181.137

They said the “messages” log shows incidents of it being blocked

We both did a whois lookup on the IP and it resolved to CyberSource dot com (CyberSource Corp), which, as you probably already know, owns Authorize.Net.

Today I’ve had an uncharacteristic drop in sales processing activity even though the traffic has been steady. My traffic on the pages that display the s2member Authorize.Net pro forms is also down a bit, but that may just be noise, although I’ve never seen such a page view decline on those forms before.

So, my question is, is the 66.185.181.137 a legit Authorize.Net IP that’s being blocked that’s been the cause of my woes today? Does s2member’s API actually connect to a domain that resolves to that IP? Or perhaps s2member connects to another domain, but the “response” domain or IP is unable to connect back due to it being blocked somehow?

By the way, I upgraded s2member v130617 to v130802 a little after midnight today, but I don’t know if that has anything to do with it.

I’m actually thinking about downgrading to v130617, as a precautionary matter. When I go through the site, it seems fine, but since I’ve had a good experience with that version, I may want to try going back. I don’t want to steer focus away from this matter, so I’ll open a separate topic about that.

Thanks.

List Of Topic Replies

Viewing 9 replies - 1 through 9 (of 9 total)
Author Replies
Author Replies
Posted: Monday Aug 5th, 2013 at 12:11 am #55196
Moderator

So, my question is, is the 66.185.181.137 a legit Authorize.Net IP that’s being blocked that’s been the cause of my woes today? Does s2member’s API actually connect to a domain that resolves to that IP?

Not to my knowledge. Here are the IPs we know of. s2Member® Pro only connects to these by name. However, I did a quick DNS check against the following so you can see what we’re dealing with here.

I’m actually thinking about downgrading to v130617, as a precautionary matter. When I go through the site, it seems fine, but since I’ve had a good experience with that version, I may want to try going back. I don’t want to steer focus away from this matter, so I’ll open a separate topic about that.

I would suggest that you enable s2Member’s logging facility temporarily until you can pinpoint the cause of this. If sales are down, I would start looking at the log files produced by s2Member® and inspect any errors closely. I would start by looking at s2-http-api-debug.log for any connection failures.

I would also look at authnet-api.log for any unexplained credit card declines.

Please see: Dashboard -› s2Member® -› Log Files (Debug) -› Logging Configuration
See also: Dashboard -› s2Member® -› Log Files (Debug) -› s2Member® Log Viewer


On a side note. It’s the summer and we’ve had many site owners writing in about slow sales. My personal advice is to inspect things closely and be cautious, but also to keep in mind that it’s relatively normal to see a slight decrease in sales this time of year.

Posted: Monday Aug 5th, 2013 at 2:08 am #55208
TJ
Username: wellwater

Hi Mike. Do you recommending enabling both:

Enable Logging Routines?
Enable Additional Logging Routines?

That’s odd about the IP address. When I did a whois lookup on the IP here:
http://cqcounter.com/whois/

it comes up with the following domain registered 13 years ago:

OrgName:        Cybersource Corp.
OrgId:          CYBERS-88
Address:        900 Metro Center Blvd.
City:           Foster City
StateProv:      CA
PostalCode:     94404
Country:        US
RegDate:        2000-10-03
Updated:        2012-06-18
Ref:            http://whois.arin.net/rest/org/CYBERS-88

OrgAbuseHandle: NOC1333-ARIN
OrgAbuseName:   Network Operations Center
OrgAbusePhone:  +1-877-847-2577
OrgAbuseEmail:  network@cybersource.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/NOC1333-ARIN

OrgTechHandle: NOC1333-ARIN
OrgTechName:   Network Operations Center
OrgTechPhone:  +1-877-847-2577
OrgTechEmail:  network@cybersource.com
OrgTechRef:    http://whois.arin.net/rest/poc/NOC1333-ARIN

RNOCHandle: NOC1333-ARIN
RNOCName:   Network Operations Center
RNOCPhone:  +1-877-847-2577
RNOCEmail:  network@cybersource.com
RNOCRef:    http://whois.arin.net/rest/poc/NOC1333-ARIN

The email address listed on the whois shows

network@cybersource.com

Which matches the cybersource.com domain.

Now if you do a whois lookup for cybersource.com, the first two parts of the IP are the same, and their GEO location is “San Mateo, CA 94404”, which is the same as the first.

So, I suppose, the question is, is this truly a legitimate cybersource company, and if so, why are they trying to communicate with my website. My messages log file has thousands of references to this IP being blocked, such as:

So it’s strange that this cybersource server is trying to communicate with mine, and interesting that the firewall decides to block them:

Aug  4 19:17:43 host2 kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=[MAC_ADDRESS_REMOVED] SRC=66.185.181.137

It looks like these deny references in my messages log were occurring in 5 minute intervals. Which coincide with WP-Cron’s default 5 minute intervals. s2member’s Authorize.Net “Automatic EOT Behavior” setting being set to on result in the site communicating with Authorize.Net’s servers every 5 minutes all the time.

Jason even chimed in when I brought this up here:
http://www.s2member.com/forums/topic/error-e00013-subscription-id-is-invalid/#post-32231

ME:

I’m getting this error constantly in the “authnet-api.log” log. It seems like it’s running this for every user, every day, even though I don’t sell subscriptions. Any ideas?

JASON:

Yes, that is correct. While these customers may not be associated with recurring fees, it’s s2Member’s job to determine this, and keep track of who is and who is not, by communicating with the Authorize.Net API. What you’re seeing in the logs is s2Member finding out that they do not have recurring fees.

If you would rather disable this functionality in s2Member, you can disable s2Member’s Automatic EOT System from your Dashboard. See: Dashboard -› s2Member® -› Authorize.Net® Options -› Automatic EOT Behavior

This being said, I recommend that you leave the EOT system enabled, and simply ignore those log entries, or simply turn off s2Member’s logging routine.

I had forgotten about this, but today’s activity brings up a few questions:

* Should I disable automatic EOT after all (since I don’t provide subscriptions or time-limited services)?
* Could the 5 minute communicate with Authorize.Net’s API be the cause of cybersource attempting to communicate with the server, and what purpose does it serve? And if it is the cause, could this activity have been deemed sufficiently suspicious by “CSF – ConfigServer” to not only block cybersource, but legitimate, live, checkout transactions?
* Are there IP addresses that I should whitelist in the firewall?

I don’t know for certain how strict CSF is operating, but since it doesn’t permanently block IP’s I’m concerned things are getting swept up or deemed suspicious when the activity is innocent and necessary for s2member to function properly. It could be a random, moving target that operates outside of the s2member app hemisphere, but results in a silent, operation conflict anyway?

Thanks.

Posted: Monday Aug 5th, 2013 at 7:15 am #55220
Moderator

* Should I disable automatic EOT after all (since I don’t provide subscriptions or time-limited services)?

I’m not seeing any compelling reason that you MUST leave this on. I checked with Jason and he confirms this. His suggestion was that you whitelist this IP address (as it does belong to CyberSource by all indications). In fact, we suggest that you whitelist any of the IPs listed above (or any provided to you by Authorize.Net support).

As your payment gateway, your server should whitelist any IP address associated with your payment gateway to ensure there are no connectivity issues. That’s our suggestion for you.

The firewall trigger (based on the log entry you posted); appears to an outbound rule, not an inbound rule (which again, this coincides with s2Member’s EOT System which is connecting to Authorize.Net and not the other way around). If your firewall does not like this, you can either whitelist the IP address to prevent this from causing problems, or you can simply turn off the EOT System since you’re not relying upon this anyway.

In either case though, I would be sure to contact Authorize.Net and ask them for a up-to-date list of all IP addresses (or configure firewall rules that apply to all of the host names I listed above). Even if you turn off s2Member’s Auto EOT System, you’ll still want to be sure that your firewall is not interfering with transaction processing that occurs during the normal checkout flow on-site.

We’ve never been given a full list of all IPs associated with Authorize.Net. We always get a response that basically states “these are always subject to change” and so they don’t provide a complete list or give us a block of IPs we can whitelist. For this reason, I would check with Authorize.Net yourself; and if all else fails try to configure your firewall to whitelist the host names and not necessarily specific IP addresses.

Posted: Monday Aug 5th, 2013 at 7:34 am #55221
Moderator

Enable Logging Routines?
Enable Additional Logging Routines?

Yes, I would enable both of these temporarily.

Posted: Tuesday Aug 6th, 2013 at 3:55 pm #55315
TJ
Username: wellwater

The firewall trigger (based on the log entry you posted); appears to an outbound rule, not an inbound rule (which again, this coincides with s2Member’s EOT System which is connecting to Authorize.Net and not the other way around).

That makes sense. Thanks for confirming this. After disabling EOT, the firewall blocks appear to have stopped.

In either case though, I would be sure to contact Authorize.Net and ask them for a up-to-date list of all IP addresses (or configure firewall rules that apply to all of the host names I listed above).

I spoke with Authorize.Net about the original IP 66.185.181.137, but they were not able to find a reference to it in their literature or developer forums. They said it seems to be ok to whitelist, based on a public whois lookup suggesting it belongs to CyberSource. They couldn’t speak with certainty about the IP’s origin though. I assume I’d have to contact CyberSource to determine that as Authorize.Net says they can only speak with certainty about what’s in their documentation.

and if all else fails try to configure your firewall to whitelist the host names and not necessarily specific IP addresses.

Thanks for the suggestion. I was focusing on IP’s instead of hostnames. The latter should be more future-proof.

I did ask Authorize.Net for any additional IP’s that should be whitelisted, but was told that wasn’t necessary, so I left it at that. Since Mike already provided the hostnames s2member uses to connect to, I should be able to use those to lookup the IP’s, assuming I can’t whitelist the hostnames directly.

In another post, I mentioned that I downgraded from v130802 to v130617. After doing so, activity on the site seems to have normalized. But the abnormalities I reported did coincide with a ddos attack on an unrelated site on my switch, so I may have attributed fault to the upgrade unnecessarily. I also have to consider the possibility that I was just experiencing “noise” and the upgrade had a neutral effect. Regardless, I’ll stick with v130617 a little while longer and see how things shake out.

Once again, thank you Mike and Jason for your assistance.

Posted: Tuesday Aug 6th, 2013 at 4:47 pm #55317
Moderator

Thanks for the detailed follow-up TJ; we REALLY appreciate this. I’m glad we could help you out here, and I’ll be sure to relay this reply to Jason so that he will see it as well. If you are so inclined, we would LOVE to get a review from you at some point. Here’s the link. Just a couple lines will do fine :-)

Please register @ WordPress.org and rate s2Member®

NOTE: If you vote @ WordPress.org & LIKE us on Facebook, please reply back in the s2Member® Forums with a link to your nice comments (just to let us know). The company also has a way of saying thanks for this :-)

and please let us know if you need any further assistance :-)

Posted: Tuesday Aug 6th, 2013 at 6:20 pm #55326
TJ
Username: wellwater

Thanks for the detailed follow-up TJ; we REALLY appreciate this. I’m glad we could help you out here, and I’ll be sure to relay this reply to Jason so that he will see it as well. If you are so inclined, we would LOVE to get a review from you at some point. Here’s the link. Just a couple lines will do fine :-)

No problem. I just posted a review. It’s the “Reliable membership software…” one at the top. Thanks again.

Posted: Tuesday Aug 6th, 2013 at 7:18 pm #55330
Staff Member

Thanks for the heads up on this thread Mike.

@TJ

I just wanted to chime in here & extend a very gracious THANK YOU for this review. That is a very well structured and well written review. We really appreciate it when a customer takes the time do this for us. Please DO let us know if you ever need assistance in the future :-)

I’ve asked Mike to bump your account to the Unlimited-Site License as our way of saying thanks!

Posted: Tuesday Aug 6th, 2013 at 7:24 pm #55331
TJ
Username: wellwater

Wow, thanks Jason. That’s completely unexpected and very much appreciated.

Viewing 9 replies - 1 through 9 (of 9 total)

This topic is closed to new replies. Topics with no replies for 2 weeks are closed automatically.

Old Forums (READ-ONLY): The community now lives at WP Sharks™. If you have an s2Member® Pro question, please use our new Support System.

Contacting s2Member: Please use our Support Center for bug reports, pre-sale questions & technical assistance.