In this simulation, you will analyze network traffic to distinguish between active and passive security threats. Understanding how different attacks interact with network data is critical for selecting the correct defensive controls.

CND (312-38) Network Defense Simulation

Network Scenario

You are monitoring a corporate VLAN (192.168.10.0/24). The network consists of an Application Server, a Database, and several workstations. A security alert was triggered by the IDS regarding suspicious packet sequences targeting the internal application.

As a Defender, you must determine if the observed activity represents a passive attempt to gather data or an active attempt to manipulate communications.

Traffic & Logs

[IDS ALERT] - High Severity: Duplicate TCP Sequence Detection [TIMESTAMP] 2023-10-24T14:22:11Z [SOURCE] 192.168.10.45 (Workstation-B) [DESTINATION] 192.168.10.10 (App-Server) [INFO] Potential Replay Attack Detected. Repeated Auth Token Header found in 3 consecutive requests. --- [FIREWALL LOG] ALLOW TCP 192.168.10.45:54321 -> 192.168.10.10:443 (ACK) ALLOW TCP 192.168.10.45:54322 -> 192.168.10.10:443 (ACK) --- [PACKET CAPTURE SNIPPET] Frame 1: GET /api/v1/auth HTTP/1.1 [Cookie: session_id=XYZ123...] Frame 2: GET /api/v1/auth HTTP/1.1 [Cookie: session_id=XYZ123...] (Duplicate)

Question

Which of the following attacks comes under the category of an active attack?

A. Replay attack

B. Wireless footprinting

C. Passive Eavesdropping

D. Traffic analysis

Expert Analysis

1. Network Status: The logs show an internal workstation (192.168.10.45) resending authentication tokens to the App-Server. This indicates that a valid communication was captured and is now being injected back into the network to gain unauthorized access.

2. Identifying Behavior: This is a classic Active Attack. Unlike passive attacks that simply "listen," this attack modifies the state of the session by re-injecting captured packets.

3. Why Choice A is Correct: A Replay Attack is an active attack because the adversary captures a valid data transmission (like an authentication exchange) and later retransmits it to produce an unauthorized effect (e.g., bypassing login). This involves generating new traffic on the network.

4. Why Others are Wrong:

Wireless Footprinting: This is a reconnaissance (passive) phase where the attacker maps out wireless networks without interacting with them.
Passive Eavesdropping: As the name implies, it is passive; the attacker monitors traffic (sniffing) without any modification.
Traffic Analysis: This involves observing the frequency, length, and flow of packets to infer communication patterns. No modification occurs.

5. Defensive Action: To prevent Replay Attacks, a CND professional should implement Session Tokens with Nonces (Number used once) or Time-stamping. If the server receives a packet with a timestamp that is too old or a nonce that has already been used, it drops the connection.

MINI LESSON: Active vs. Passive

Active: Interruption, Interception, Modification, and Fabrication. Impact: Integrity and Availability.
Passive: Release of message content and Traffic Analysis. Impact: Confidentiality.

Ready for more CND challenges?

Explore more CND simulations