What is a Replay Attack?
Learn what a replay attack is, how captured valid traffic gets resent, and defenses like nonces and timestamps.
Expected Interview Answer
A replay attack is when an attacker captures a legitimate, valid piece of network traffic — such as an authentication token or transaction request — and retransmits it later, unmodified, to trick a system into repeating the original action without needing to break any encryption.
Because the attacker never needs to decrypt or alter the captured data, a replay attack can succeed even against strongly encrypted traffic if the receiving system only checks that a message is well-formed and validly signed, not whether it has already been seen before. A classic example is capturing an encrypted login request or a signed 'transfer funds’ message and resending it later to log in again or repeat the transfer. Defenses rely on making each message unique and time-bound: nonces (single-use random values), sequence numbers, and timestamps let a receiver reject any message it has already processed or that has expired, which is exactly why TLS session establishment and protocols like Kerberos include these mechanisms. Without such protections, even a perfectly encrypted channel offers no guarantee that a captured message can’t simply be replayed to repeat an action.
- Succeeds without ever breaking encryption, only capturing and resending traffic
- Exploits systems that verify signatures/encryption but not message freshness
- Countered with nonces, sequence numbers, and timestamps
- Highlights why encryption alone is insufficient without freshness/integrity checks
AI Mentor Explanation
A replay attack is like someone recording the umpire’s exact radio call of 'that’s out, LBW' from a previous match and playing it back during a live game to make it sound like a real, current decision. The recording is a perfectly genuine, unaltered call, but replaying it out of context makes it falsely trigger an action in the present game. This is exactly how a replay attack works: no forgery is needed, only a valid message reused at the wrong time.
Step-by-Step Explanation
Step 1
Capture traffic
The attacker intercepts a legitimate, valid message such as an authentication token or signed request.
Step 2
Store unmodified
The captured message is kept exactly as-is; the attacker never needs to decrypt or alter it.
Step 3
Retransmit later
The attacker resends the identical message to the receiving system at a later time.
Step 4
Action repeats
If the receiver only checks validity, not freshness, it processes the message again, repeating the original action.
What Interviewer Expects
- Correct definition: resending a captured, valid message to repeat an action
- Understands the attack succeeds without breaking encryption
- Names concrete defenses: nonces, sequence numbers, timestamps
- Gives a realistic example (auth token, signed transaction)
Common Mistakes
- Assuming replay attacks require decrypting the captured traffic
- Confusing a replay attack with a man-in-the-middle attack
- Not naming any freshness mechanism (nonce, timestamp, sequence number) as a defense
- Thinking HTTPS alone automatically prevents replay attacks
Best Answer (HR Friendly)
“A replay attack is when someone captures a legitimate piece of network traffic, like a login request, and simply resends it later to trick the system into repeating that action, without ever needing to break the encryption. It works because some systems only check that a message looks valid, not whether it is fresh, which is why protections like one-time tokens and timestamps exist to stop a captured message from being reused.”
Code Example
import time
seen_nonces = set()
MAX_AGE_SECONDS = 60
def verify_request(nonce, timestamp, signature, payload):
# Reject if the message is too old
if abs(time.time() - timestamp) > MAX_AGE_SECONDS:
raise ValueError("Request expired, possible replay")
# Reject if this exact nonce has already been used
if nonce in seen_nonces:
raise ValueError("Nonce already used, replay detected")
if not signature_is_valid(signature, payload):
raise ValueError("Invalid signature")
seen_nonces.add(nonce)
return TrueFollow-up Questions
- How do nonces prevent replay attacks?
- Why is a timestamp alone sometimes insufficient to stop replay attacks?
- How does TLS session establishment defend against replay attacks?
- What is the difference between a replay attack and a man-in-the-middle attack?
MCQ Practice
1. What defines a replay attack?
A replay attack resends an already-valid, captured message exactly as-is to repeat its effect.
2. Which mechanism most directly prevents a replay attack?
Nonces and timestamps let a receiver detect and reject a previously seen or expired message.
3. Why can a replay attack succeed even against encrypted traffic?
Since the message is resent unmodified, the attacker doesn't need to break the encryption at all.
Flash Cards
What is a replay attack? — Capturing a valid message and resending it later to repeat its original effect.
Does a replay attack require breaking encryption? — No — the message is resent exactly as captured, unmodified.
Main defenses? — Nonces (single-use values), sequence numbers, and timestamps that enforce freshness.
Example of a replay attack? — Resending a captured, valid signed “transfer funds” request to repeat the transfer.