Difference between Active Attack and Passive Attack

In this tutorial, you will learn the basic concepts of security attacks. After reading this tutorial, you will learn about the types of security attacks and the prevention of the attacks, and the difference between Active Attack and Passive Attack.

Contents:

  1. Passive and Active Attacks
  2. Message Content Release Attack
  3. Traffic Analysis
  4. Replay Attack
  5. Message Modification
  6. Denial of Service (DoS)
  7. Masquerade Attack
  8. Active Attack Vs Passive Attack

Passive and Active Attacks

The attacker can target the security and try to hack the network or system. Security attacks can be of two types, active attacks and passive attacks.

Passive Attack: In a passive attack, when the sender sends the data to the receiver, the attacker tries to access the data sent by the sender. Here, the attacker can only read the data and he can’t modify the data.

  • The sender and the receiver are not aware of the attacker. The attacker silently listens to the communication of the sender and receiver, and the sender and receiver are not aware that someone is listening to the communication.
  • The sender and receiver cannot identify the attacker in passive attacks.
  • Message content release and traffic analysis are passive attacks.

Active Attack: In an active attack, when the sender sends the data to the receiver, in the middle of the communication, the attacker accesses the data, modifies it, and sends it to the receiver. The attacker corrupts the data sent by the sender.

  • Active attacks damage data, systems, networks, etc. Active attacks can be easily identified.
  • Replay attacks, message modification, denial of service (DoS), and masquerade are active attacks.

advertisement
advertisement

Message Content Release Attack

Message Content Release Attack is a passive attack in which confidential data of sender and receiver can be viewed by a third party.

The figure below explains the message content release attack.

Release of Message Content
  • The sender and receiver are communicating over a network.
  • Data transmitted from sender to receiver is not encrypted. Now, in the middle of the communication, a third party, an attacker, comes to access and read the confidential information of sender and receiver.
  • The sender is sending the message to the receiver. The attacker connects across the range of the sender and receiver and accesses the channel.
  • Once an attacker gains access to the channel, they can monitor the contents of the data transmitted by the sender and receiver.
  • The attacker can use confidential data with malicious intent. For example, they may sell the sender and receiver passwords to another party to earn money.
  • One way to prevent this attack is to encrypt the data with an encryption algorithm and key. Without encryption of the data, the attacker can easily access the channel. Therefore, it is necessary to encrypt the data.

Traffic Analysis

The attacker can use traffic analysis to identify hosts on the network that are communicating. The attacker runs a script and tries to analyze the number of packets transmitted.

  • The attacker tries to find the pattern and behavior of the communication. It analyzes traffic, predicts transmission behavior, and decides whether hosts are exchanging confidential information or having a normal conversation.
  • The attacker learns about the incoming and outgoing traffic on a network, the frequency of sending messages, at what times the sender and receiver are most active, the length of packets exchanged between the sender and receiver, and what kind of communication is going on between them.
  • Basically, the attacker performs traffic analysis if the sender and receiver are sending data in an encrypted format.

The below diagram explains the traffic analysis.

traffic analysis
  • The attacker has access to the channel over which the sender and receiver are communicating.
  • The attacker receives the packet sent by the sender but cannot read it because the packet is encrypted. So, the attacker tries to find out the pattern of traffic, determining where the traffic is coming from and where it is going.
  • Here, the attacker cannot modify the messages, but can make decisions based on the traffic regarding the type of communication between the sender and the receiver.
  • The sender and receiver have no idea that someone is analyzing the traffic.

Replay Attack

A replay attack is an active attack that can be carried out on a network by an attacker with bad intentions.

  • Confidential information is transmitting over a network, and attackers try to access that information to take advantage of it.
  • The attacker can enable a replay attack by using ARP spoofing or by sending malicious code to the end device.
  • When a host sends confidential data to a server, an attacker seated in the middle can access the data and replay it to appear as someone else. The attacker sends the same data of the sender to the receiver over and over again.

The below diagram explains the replay attack.

replay attack
  • The client wants to access the server. The client is connected to the switch, and an attacker gains access to the switch.
  • The client sends confidential data to the server for authentication. Now, the data will be transmitted through the switch.
  • The switch transmits the data to the server and an attacker. The attacker gets the client’s data.
  • The client data contains a username and a hashed password for authentication. Also, the attacker gets a copy of the client’s username and hashed password.
  • So, the attacker will send an authentication request to the server with the client’s username and hashed password. This is known as a replay.
  • The server gives access to the attacker because the server thinks that the data came from the client itself, but it is actually coming from an attacker.
  • To prevent replay attacks, session IDs are used. The server gives the client a temporary session ID for as long as the server and the client are communicating. When an attacker replays the data on the server, the server will not give access to the attacker.

advertisement

Message Modification

When the sender sends a message to the receiver, the message reaches the third party sitting between the sender and the receiver and receives the message. The attacker modifies the message by flipping bits or adding malicious code or generating noise.

The figure below explains the message modification.

message modification
  • As shown in the picture, the sender sends a message to the receiver that you have to pay me $10. The attacker intercepts the message and modifies it, you have to pay me $100 and send it to the receiver.
  • When the receiver receives the message, it will receive the modified message, not the original message. This attack is also known as the man-in-the-middle (MITM) attack.
  • Here, an attacker blocks the communication of sender and receiver using DNS hijacking or BGP redirection.
  • Message modification compromises the confidentiality and integrity of the message.
  • The message modified by the attacker can cause a delay in message delivery or loss of message.
  • To prevent message modification attacks, we can use symmetric-key and asymmetric-key cryptography algorithms to achieve message confidentiality, and document, fingerprint, and message digest to achieve message integrity.

Denial of Service (DoS)

Website resources are stored on the server. It means when the client requests services from a website, it communicates with the server and the server provides access to the resources to the client. The attacker floods the server with the fake IP addresses, gains access to all of the server’s resources, and the server denies all other users access to the resources. This attack is known as a Denial of Service (DoS) attack.

The diagram below explains the denial-of-service attack.

advertisement
denial-of-service attack
  • As shown in the figure, the client wants to access the website running on the server. So, the client sends a request to the server to access the resource, and the server gives the client access to the resource as a response. This is a common scenario.
  • In the second figure, the attacker comes into play. As we know, the server can handle a limited number of requests at a time, as each website has a bandwidth that defines the capacity of the load that it can handle at a time.
  • The attacker exploits the limited capacity of the server. An attacker creates fake users with fake IP addresses. Here fake users are also known as botnets..
  • Botnets are not real users; they are fake users and an attacker sets a different IP address for each botnet.
  • Now the hacker or attacker sends a large number of requests from the botnet to the server. In the end, the attacker ties up all the resources on the server.
  • After that, if a real user sends a request to the server, the server denies access to the real user because it has already given all resources to the attacker.
  • Here, the attacker attacks the server by creating several botnets. Hence, it is known as Distributed Denial of Service attack.
  • Due to a DDoS attack, the webserver gets down and the actual users who actually want to access the website cannot access the website.
  • If the site is frequently down, or if the site speed is reduced, or there are no resources on the server, a DDoS attack may have occurred.
  • By using network monitoring tools, the network administrators can monitor the activity of the network. Firewalls can be used to prevent unauthorized access to webservers. Alerts can be set during threat detection. The last thing that helps prevent a DDoS attack is to regularly update the network and system to fix bugs and issues.

Masquerade Attack

Masquerade attack is one of the active attacks and in this attack, the attacker gains access to an authorized user and uses it to pretend that he is an authorized user.

The diagram below explains the masquerade attack.

masquerade attack
  • PC-1 and PC-2 are communicating with each other, and the attacker tries to steal the information.
  • The attacker steals PC-2’s username and password and pretends to be PC-2.
  • PC-1 thinks the attacker is PC-2, so it sends the message to the attacker instead of PC-2.
  • Although each device has a unique IP address, the attacker obtains PC-2’s IP address using spoofing methods and builds trust with PC-1 that it is PC-2.
  • Here, the attacker has used the legal information of another PC to compromise security.
  • The attacker can get the username and password of the end-user using phishing attacks, brute-force attacks, or dictionary attacks.
  • To prevent masquerade attacks, use long and strong passwords, enable two-factor authentication, and remember to log out after communication is complete.

Active Attack Vs Passive Attack

The below table shows the comparison between Active Attack and Passive Attack.

Key Active Attack Passive Attack
Definition The attacker can read and modify the data The attacker can read the data
Affect Whole system Can’t affect the system
Threat Message Integrity and Message Confidentiality Message Confidentiality
Detection Easy Difficult
Attacker can Control the network Observe communication in network
Attacks Replay attacks, Message Modification, Denial of Service (DoS), and Masquerade Message content release and Traffic Analysis

Key Points to Remember

Here is the list of key points we need to remember about “Active Attack and Passive Attacks”.

  • In a passive attack, the attacker can only read the data and cannot modify it.
  • In an active attack, the attacker can modify and send the data to the receiver.
  • Message content release and traffic analysis are passive attacks, while replay attacks, message modification, denial of service (DoS), and masquerade are active attacks.
  • The attacker can view the confidential information of the hosts in a message content release attack, whereas, in traffic analysis, he cannot see the data but can analyze the traffic.
  • The attacker can enable a replay attack by using ARP spoofing or by sending malicious code to the end device.
  • In message modification, the attacker modifies the message by flipping bits or adding malicious code or generating noise. Message modification compromises the Message Confidentiality and Message Integrity.
  • In DoS attack, the attacker floods the server with the fake IP addresses, gains access to all of the server’s resources, and the server denies all other users access to the resources.
  • In Masquerade attack, the attacker gains access to an authorized user and uses it to pretend that he is an authorized user.

If you find any mistake above, kindly email to [email protected]

advertisement
advertisement
Subscribe to our Newsletters (Subject-wise). Participate in the Sanfoundry Certification contest to get free Certificate of Merit. Join our social networks below and stay updated with latest contests, videos, internships and jobs!

Youtube | Telegram | LinkedIn | Instagram | Facebook | Twitter | Pinterest
Manish Bhojasia - Founder & CTO at Sanfoundry
Manish Bhojasia, a technology veteran with 20+ years @ Cisco & Wipro, is Founder and CTO at Sanfoundry. He lives in Bangalore, and focuses on development of Linux Kernel, SAN Technologies, Advanced C, Data Structures & Alogrithms. Stay connected with him at LinkedIn.

Subscribe to his free Masterclasses at Youtube & discussions at Telegram SanfoundryClasses.