Judging the Importance of an Event ID 553

What causes event ID 553 (replay attack detected), and how important is this event?

According to the event description, the Kerberos authentication package determined that someone attempted to log on by replaying a user's credentials. The description of event ID 553 also recommends an immediate investigation. However, a more likely cause of the event is a network error resulting from a packet being duplicated in transit. An actual replay attack is certainly possible, but such an attack requires a very sophisticated attacker.

If you see a storm of event ID 553s in your Security log, check your routers and switches for errors or recent changes that might be causing packet duplication. If you see an isolated occurrence of event ID 553, don't sweat it unless the combination of the user account, client IP address, and time generated make the event appear sinister.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.