Using a shared cache in a Web farm environment for detecting replay attacks in WCF
I'm trying to figure out how to implement a replay attack detection mechanism with WCF in a web farm scenario.
WCF provides such detection mechanism by using a nonce cache. Correct me if I'm wrong, but the only way to ensure to prevent this attack in a message security and web farm scenario is by using a nonce cache shared across the servers.
In WSE3.0, it used to be possible to provide nonce cache custom implementations
but there doesn't seem to be any way to do so in WCF (No configuration options, besides I found with Reflector that the NonceCache class is marked as both sealed and internal..)
Firstly there are no silver bullets for this. Each option has its drawbacks. Microsoft recommends one of two options:
- Use message mode security with stateful security context tokens (with or without secure conversation enabled)
- Configure the service to use transport-level security
While securing your service using transport-level security will protect from the man in the middle scenario it will not protect you against a compromised client. So in effect it's not a robust solution and using stateful security context tokens is the better way of the two. This does require some considerations when developing and deploying.
As I stated in my earlier answer there no silver bullets for this. Here is another option (which you may have already considered) by using detectReplays, maxClockSkew, replayWindow, and replayCacheSize settings. Although I'm not sure about its robustness in a WebFarm scenario it should work given the underlying operation of WCF. Here's a brief article that demonstrates it. The drawback with this option is when you have a client in a different timezone to the server you'll get failures if your maxClockSkew is not set to allow for the timezone differences.