How to: Enable Message Replay Detection
A replay attack occurs when an attacker copies a stream of messages between two parties and replays the stream to one or more of the parties. Unless mitigated, the computers subject to the attack will process the stream as legitimate messages, resulting in a range of bad consequences, such as redundant orders of an item.
For more information about message replay detection, see Message Replay Detection.
The following procedure demonstrates various properties that you can use to control replay detection using Windows Communication Foundation (WCF).
To control replay detection on the client using code
Create a SecurityBindingElement to use in a CustomBinding. For more information, see How to: Create a Custom Binding Using the SecurityBindingElement. The following example uses a SymmetricSecurityBindingElement created with the CreateKerberosBindingElement of the SecurityBindingElement class.
DetectReplay. A Boolean value. This governs whether the client should detect replays from the server. The default is true.
MaxClockSkew. A TimeSpan value. Governs how much time skew the replay mechanism can tolerate between the client and the server. The security mechanism examines the time stamp sent and determines whether it was sent too far back in the past. The default is 5 minutes.
ReplayWindow. A TimeSpan value. This governs how long a message can live in the network after the server sends it (through intermediaries) before reaching the client. The client tracks the signatures of the messages sent within the latest ReplayWindow for the purposes of replay detection.
ReplayCacheSize. An integer value. The client stores the signatures of the message in a cache. This setting specifies how many signatures the cache can store. If the number of messages sent within the last replay window reaches the cache limit, new messages are rejected until the oldest cached signatures reach the time limit. The default is 500000.
- DetectReplay. A Boolean value. This governs whether the client should detect replays from the server. The default is true.
To control replay detection on the service using code
To control replay detection in configuration for the client or service
Create a customBinding Element.
Create a <security> element.
Set the following attribute values, as appropriate: detectReplays, maxClockSkew, replayWindow, and replayCacheSize. The following example sets the attributes of both a <localServiceSettings> and a <localClientSettings> element:
<customBinding> <binding name="NewBinding0"> <textMessageEncoding /> <security> <localClientSettings replayCacheSize="800000" maxClockSkew="00:03:00" replayWindow="00:03:00" /> <localServiceSettings replayCacheSize="800000" maxClockSkew="00:03:00" replayWindow="00:03:00" /> <secureConversationBootstrap /> </security> <httpTransport /> </binding> </customBinding>
Private Function CreateSymetricBindingForClient() As SecurityBindingElement Dim b = SecurityBindingElement.CreateKerberosBindingElement() With b.LocalClientSettings .DetectReplays = True .MaxClockSkew = New TimeSpan(0, 3, 0) .ReplayWindow = New TimeSpan(0, 2, 0) .ReplayCacheSize = 10000 End With Return b End Function
Scope of Replay: Message Security Only
Note that the following procedures apply only to Message security mode. For Transport and Transport with Message Credential modes, the transport mechanisms detect replays.
Secure Conversation Notes
For bindings that enable secure conversations, you can adjust these settings both for the application channel as well as for the secure conversation bootstrap binding. For example, you can turn off replays for the application channel but enable them for the bootstrap channel that establishes the secure conversation.
If you do not use secure conversation sessions, replay detection does not guarantee detecting replays in server farm scenarios and when the process is recycled. This applies to the following system-provided bindings:
Compiling the Code