Replay Attack in Cockroachdb

Replay attacks in Cockroachdb occur when an attacker intercepts and reuses valid network traffic, credentials, or transaction data to gain unauthorized access or manipulate database operations. Unlike traditional SQL injection that exploits code injection vulnerabilities, replay attacks exploit the timing and state of Cockroachdb's distributed consensus protocol.

The most common Cockroachdb-specific replay scenario involves the TxnCoordSender component. When a client initiates a transaction, Cockroachdb's transaction coordinator sends a BeginTransaction request to the leaseholder node. If an attacker captures this request and replays it to a different node before the original transaction commits, they can create conflicting transaction states across the cluster.

Consider this vulnerable pattern where transaction IDs are predictable:

func createTransaction(userID string) (string, error) {
    txID := fmt.Sprintf("tx-%s-%d", userID, time.Now().UnixNano())
    // Store transaction in KV store
    return txID, nil
}

An attacker observing network traffic can extract the txID format and generate valid-looking transaction IDs. Since Cockroachdb's transaction coordinator validates only the format and not the origin, these replayed transactions can be accepted by the cluster.

Another Cockroachdb-specific replay vector involves the DistSender component. When executing distributed queries, Cockroachdb breaks statements into DistSQL requests. If these requests lack proper nonce values or sequence numbers, an attacker can capture and replay them to duplicate operations across nodes.

The LeaseHolder mechanism creates additional replay opportunities. When a node holds the lease for a range, it processes all requests for that range. If lease renewal messages are intercepted and replayed, an attacker can maintain control over a range longer than intended, potentially manipulating data consistency.

Network-level replay attacks also target Cockroachdb's DistSender RPC calls. Since Cockroachdb uses gRPC over TCP, captured BatchRequest messages containing SQL statements can be resent to achieve the same effect as the original operation, potentially creating duplicate records or triggering unintended business logic.

Detecting replay attacks in Cockroachdb requires monitoring both the database's internal metrics and network traffic patterns. The crdb_internal schema provides several observability tools specifically designed for identifying suspicious activity patterns.

First, examine transaction metrics using:

SELECT 
    application_name,
    transaction_id,
    start_time,
    COUNT(*) as execution_count,
    client_address
FROM crdb_internal.transaction_statistics
WHERE start_time > NOW() - INTERVAL '1 hour'
GROUP BY application_name, transaction_id, start_time, client_address
HAVING COUNT(*) > 1
ORDER BY execution_count DESC;

This query identifies transactions executed multiple times from the same or different clients, a hallmark of replay attacks. Look for transactions with identical timestamps but different client addresses.

The crdb_internal.node_transaction_statistics view reveals node-level anomalies:

SELECT 
    node_id,
    transaction_id,
    COUNT(DISTINCT client_address) as unique_clients,
    MIN(start_time) as first_seen,
    MAX(start_time) as last_seen
FROM crdb_internal.node_transaction_statistics
WHERE start_time > NOW() - INTERVAL '5 minutes'
GROUP BY node_id, transaction_id
HAVING COUNT(DISTINCT client_address) > 1
   OR (MAX(start_time) - MIN(start_time)) < INTERVAL '1 second';

Multiple clients executing the same transaction ID within milliseconds indicates replay activity.

middleBrick's black-box scanning approach detects replay vulnerabilities without requiring database access. It tests for:

1. Predictable transaction ID generation patterns
2. Missing nonce values in DistSQL requests
3. Inadequate request signing or validation
4. Exposed lease renewal endpoints
5. Replayable authentication tokens

The scanner sends multiple identical requests with varying timestamps and client identifiers to identify systems that process duplicate requests identically. For Cockroachdb specifically, middleBrick tests the DistSender endpoint by sending replayed BatchRequest messages and analyzing the responses.

Network-level detection using Wireshark or similar tools should look for:

tcp.stream eq X and (grpc.message contains "BeginTransaction" or grpc.message contains "BatchRequest")

Capturing and analyzing the binary payload can reveal whether transaction IDs or other request components are predictable or reusable.

Securing Cockroachdb against replay attacks requires implementing cryptographic nonces, request signing, and proper transaction isolation. The most effective approach combines application-level safeguards with Cockroachdb's built-in security features.

First, implement cryptographically secure nonces for all transaction requests:

package cockroachdb_security

import (
    "crypto/rand"
    "encoding/hex"
    "time"
)

type SecureTransaction struct {
    Nonce     string    `json:"nonce"`
    Timestamp time.Time `json:"timestamp"`
    Payload   string    `json:"payload"`
}

func GenerateSecureTransaction(userID string, sql string) (*SecureTransaction, error) {
    nonce := make([]byte, 16)
    if _, err := rand.Read(nonce); err != nil {
        return nil, err
    }
    
    return &SecureTransaction{
        Nonce:     hex.EncodeToString(nonce),
        Timestamp: time.Now().UTC(),
        Payload:   sql,
    }, nil
}

func (st *SecureTransaction) Sign(privateKey []byte) (string, error) {
    // Implement HMAC-SHA256 signing with private key
    return "signed_payload", nil
}

This ensures each transaction request is unique and cannot be replayed, even if intercepted.

Cockroachdb's IMPORT and EXPORT operations require special attention since they involve large data transfers that are attractive replay targets. Use the ENCRYPTED option and validate all import/export requests:

IMPORT TABLE users
FROM CSV DATA ('s3://bucket/users.csv')
WITH 
    ENCRYPTED = true,
    FORMAT = csv,
    HEADER = true
CREDENTIALS = '{ "AWS_ACCESS_KEY_ID": "...", "AWS_SECRET_ACCESS_KEY": "..." }'
OPTIONS (
    delimiter = ',',
    null = 'NULL'
);

-- Add validation step
SELECT crdb_internal.validate_import_status('users_import');

For application-level protection, implement Cockroachdb's AS OF SYSTEM TIME clause to prevent replay of stale data:

BEGIN;
SET TRANSACTION AS OF SYSTEM TIME '-10s';
-- All reads within this transaction see data from 10 seconds ago
SELECT * FROM accounts WHERE user_id = $1 FOR UPDATE;
-- Business logic here
COMMIT;

This prevents attackers from replaying transactions that read old data states and creating inconsistencies.

Enable Cockroachdb's enterprise security features for maximum protection:

ALTER RANGE default CONFIGURE ZONE USING
    num_replicas = 5,
    constraints = '[+region=west1, +region=east1]',
    lease_preferences = '[[+region=west1]]';

-- Enable encryption at rest
ALTER DATABASE your_database
    EXPERIMENTAL ENCRYPTION = ON
    WITH KEY = 'your-256-bit-key-here';

The lease_preferences configuration ensures that leaseholders are distributed across regions, making it harder for attackers to target specific nodes for replay attacks.

Finally, implement application-level replay detection using Cockroachdb's crdb_internal.node_statement_statistics:

CREATE VIEW replay_detection AS
SELECT 
    node_id,
    statement_normalized,
    COUNT(*) as execution_count,
    MIN(start_time) as first_execution,
    MAX(start_time) as last_execution,
    client_address
FROM crdb_internal.node_statement_statistics
WHERE start_time > NOW() - INTERVAL '1 minute'
GROUP BY node_id, statement_normalized, client_address
HAVING COUNT(*) > 5
   OR (MAX(start_time) - MIN(start_time)) < INTERVAL '100ms';

Statements executed multiple times within milliseconds from the same or different clients indicate potential replay activity.