ANS Documentation

Improve This Doc
  • Cloud
  • Domains and DNS management
  • Backup and High Availability
  • eCommerce Stacks
  • Security
    • DDoSX®
    • Web Application Firewall
    • Threat Monitoring and Threat Response
      • General Information and FAQs
      • How does it work?
      • System Requirements
      • Getting Started
      • Installing on a UKFast hosted server
      • Installing on a non-UKFast hosted server
      • PCI DSS Compliance
      • Alerts and rulesets
      • Attack Ruleset
      • High Level Alerts Explained
      • Alert Remediation Tips
      • Common Attacks
      • Databases
      • Exploits
      • File Monitoring (FIM)
      • Malware
      • Service Specific Alerts
      • System
      • Windows
      • Scans and Reconnaissance
    • McAfee Antivirus
    • Vulnerability Scans
    • ANS MDR
    • Keeping Magento secure
    • Keeping WordPress secure
    • Brute Force Attacks
    • CryptoLocker
    • Dirty COW
    • The Logjam attack
    • Meltdown and Spectre
    • Memcached security concerns and reflection/amplification DDoS attacks
    • Wana Decryptor / Wana Decrypt0r 2.0 / WannaCry
    • Log4J Vulnerability
    • Polkit Security Vulnerability CVE-2021-4034
    • CVE-2022-0847 - Dirty Pipe Vulnerability
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
  • Webcelerator
  • MyUKFast
  • Home >
  • Security >
  • Threat Monitoring and Threat Response >
  • High Level Alerts Explained >
  • SELinux/Auditd

SELinux/Auditd¶

Audit: Replay attack dedtected¶

What is a Replay Attack?

A replay attack is designed to purposely delay network traffic or to send it to the target again. This is usually done to confuse a target program, or to fool it into sending the attacker sensitive information.

For example, Alice is on public WiFi and is logging into the electricity company to pay her bill. Eve is an attacker listening to her traffic. Alice logs in and receives an authentication token so that she does not have to log in again for a few hours. Eve captures that traffic and replays it to the electricity companies accounts page. On a poorly designed website, when Eve sends the authentication token, the server will think that Eve is Alice, and serve the account page. Now Eve can use this account and gain personal information such as names, addresses, and even credit card information.

How can I prevent a replay attack?

  • A lot of websites tend to use things like Session Identifiers which are used to change the information sent in some way, which prevents a third-party like Eve from being able to replay messages because they will not verify with the unique session identifier.

  • Other sites use a one-time password, which expires after they are used. This means that anything sent using that one-time password after the first time will be rejected by the server.

  • Other websites use Number used Once (Nonce) and Message Authentication Codes (MAC) which are verified against each other. This increases the security of the sessions because an attacker replaying a session ID cannot forge the nonce or MAC.

Next Article > SSH (Secure Shell)

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ