What causes event ID 553 (replay attack detected), and how important is this event?

According to the event description, the Kerberos authentication package determined that someone attempted to log on by replaying a user's credentials. The description of event ID 553 also recommends an immediate investigation. However, a more likely cause of the event is a network error resulting from a packet being duplicated in transit. An actual replay attack is certainly possible, but such an attack requires a very sophisticated attacker.

If you see a storm of event ID 553s in your Security log, check your routers and switches for errors or recent changes that might be causing packet duplication. If you see an isolated occurrence of event ID 553, don't sweat it unless the combination of the user account, client IP address, and time generated make the event appear sinister.