Replay Attack Check

AP.Remote.Access.Monitor.DA_DOSP_HEURISTIC_REPLAY_ATTACK (UnitMonitor)


A network security component is under a Replay attack. A Replay attack is a form of network attack in which a valid
data transmission is maliciously or fraudulently repeated or delayed.

Knowledge Base article:

Summary

A network security component is under a Replay attack. A Replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.

Causes

The server is receiving a large number of packets that have failed Replay detection.

Resolutions

1. A Replay attack might be underway. Monitor the server for signs of an attack. If an attack is detected, take mitigation measures to stop it.

2. Check for network errors as these will generate high counters.

Element properties:

TargetAP.Remote.Access.Class.NetworkSecurity
Parent MonitorSystem.Health.SecurityState
CategoryCustom
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeAP.Remote.Access.Monitor.HeuristicMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
Potential Replay Attack

Error Description - {0}
Error Cause - {1}
Error Resolution - {2}
RunAsDefault

Source Code:

<UnitMonitor ID="AP.Remote.Access.Monitor.DA_DOSP_HEURISTIC_REPLAY_ATTACK" Accessibility="Public" Enabled="true" Target="AP.Remote.Access.Class.NetworkSecurity" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="AP.Remote.Access.Monitor.HeuristicMonitorType" ConfirmDelivery="true">
<Category>Custom</Category>
<AlertSettings AlertMessage="AP.Remote.Access.Monitor.DA_DOSP_HEURISTIC_REPLAY_ATTACK_AlertMessageResourceID">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Error</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/DataItem/Property[@Name='ErrorDesc']$</AlertParameter1>
<AlertParameter2>$Data/Context/DataItem/Property[@Name='ErrorCause']$</AlertParameter2>
<AlertParameter3>$Data/Context/DataItem/Property[@Name='ErrorResolution']$</AlertParameter3>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="DA_DOSP_HEURISTIC_REPLAY_ATTACK_Error" MonitorTypeStateID="Error" HealthState="Error"/>
<OperationalState ID="DA_DOSP_HEURISTIC_REPLAY_ATTACK_Warning" MonitorTypeStateID="Warning" HealthState="Warning"/>
<OperationalState ID="DA_DOSP_HEURISTIC_REPLAY_ATTACK_Success" MonitorTypeStateID="Healthy" HealthState="Success"/>
</OperationalStates>
<Configuration>
<Interval>300</Interval>
<SyncTime/>
<ComponentName>Network Security</ComponentName>
<HeuristicId>2147745799</HeuristicId>
<Debug>false</Debug>
</Configuration>
</UnitMonitor>