Monday, December 13, 2010

RTS/CTS and you!

Imagine the following scenario:

It’s 2005 and you are at a convention.

There are hundreds of Wi-Fi devices around you. There are tens of APs. Not your run of the mill Linksys or Dlink APs but real enterprise grade, controller based APs. You fire up you trusty AirMagnet Wi-Fi Analyzer and what do you see? Specifically you see 10 APs and 700 STAs. A little math later and you realize that there are 70 Wireless Mobile devices (STAs) per AP.

“That’s Crazy!” you scream in your head. There isn’t enough capacity on this 802.11b/g network. You are correct. Then you start to imagine what is really happening and how many of the STAs cannot see one another because the network was implemented at MAX power and many STAs talking to the same AP cannot “hear” one another. Collisions go up, retries go up. Throughput crumbles and dies on the floor.

But help is on the way, the WLAN admin enables RTS/CTS in the controller and people start to behave nicely. Each STA sends and RTS and waits for the CTS from the AP before speaking. Collisions diminish. Retries diminish. Throughput gets up off the floor and makes a go at it again and you see some overall improvement. It’s still not pretty but it is better. “Great work WLAN admin!” you say to yourself.

What just happened? AirMagnet WI-Fi Analyzer says, To deal with contention, “the IEEE 802.11 standard includes the RTS/CTS (Request-To-Send/Clear-To-Send) functionality to control the station's access to the RF medium. The wireless device ready for transmission sends a RTS frame in order to acquire the right to the RF medium for a specific time duration. The receiver grants the request by sending a CTS frame of the same time duration. All wireless devices observing the CTS frame should yield the media to the transmitter for transmission without contention.”

This also eliminates a hidden node issue. Again, the AirMagnet Wi-Fi Analyzer says, “A hidden station problem occurs when a wireless node cannot “hear” one or more of the other nodes, and thus the media access protocol (CSMA/CA - Carrier Sense Multiple Access/Collision Avoidance) cannot function properly. When this happens, multiple nodes will attempt to transmit their data over the shared medium simultaneously, causing signal interference with one another. For example, imagine there are two 802.11 end-users (Station A and Station B) and one access point. Station A and Station B can't “hear” each other because of high attenuation (e.g. substantial range), but they can both communicate with the same access point. Because of this situation, Station A may begin sending a frame without noticing that Station B is currently transmitting (or vice versa). This will very likely cause a collision between Station A and Station B to occur at the access point. As a result, both Station A and Station B would need to re-transmit their respective packets, which results in higher overhead and lower throughput.”

Turning on the RTS/CTS then allows the hidden node to function without collisions.

Its 2011 and you are at work

Now fast forward to today. You are sitting in your cubicle and trying to understand what you see on the screen of your AirMagnet tool. It says, “Denial-of-Service Attack: CTS Flood”. Here is the detail text:
Description: In channel 6 2.437GHz, the system has detected 1800 CTS frames in the last minute, which matches the traffic pattern of the form of denial-of-service attack, CTS (Clear-To-Send) attack. A wireless denial-of-service attacker may suspend the wireless media for communication by taking advantage of the privilege of CTS frame to reserve RF medium for transmission. By transmitting back to back CTS frames, an attacker can force other wireless devices sharing the RF medium to hold back its transmission until the attacker stops transmitting the CTS frames.
“Why would someone be Dos’ing us?”, You inquire. “And why this particular attack?”, you wonder. “And why did he tell me all that other stuff about contention first?”, You ask.

The answer is interesting but requires another scenario. Imagine the following. There is a room with an 802.11b/g AP in it (It doesn’t matter if it is controller based or autonomous). There are 20 STAs attached to the AP and they are all 802.11g devices. That means that all the management traffic (beacons, probe requests, probe responses, etc) are 1Mb/s CCK modulated and all data traffic is faster (6-54Mb/s) OFDM modulated. Are you with me so far? Good. Here is the fun part.

An 802.11b STA walks into the room. He only speaks 1Mb/s-11Mb/s CCK modulated data traffic. So he starts jabbering while the “g” clients are talking and creates a bunch of collisions. Why? Because he cannot “hear” OFDM modulation. He has no idea that the “g” STAs are talking.

“That’s silly”, you say, “The IEEE would never allow that to happen”. Correct you are, Padawan. They re-used a function they already had, specifically to deal with this. And as you have probably already guessed what it is - RTS/CTS. RTS and CTS frames are 1Mb/s CCK modulated so it is as if the “g” STAs all asked for contention slots to send data and the “b” STA heard the CTS and went quiet until it was his/her turn.

But why the alarm? Well, what really happened was that awhile ago various card manufacturers as well as the IEEE noticed a problem and a loophole in the RTS/CTS scheme.
  • The problem : most APs are usually not configured to do RTS/CTS. Also, STAs may not decide to use it.
  • The loophole: The CTS frame does not have a source MAC.
No one really knows who sent the CTS frame. It could be anyone. Thus, “CTS Flooding” and “CTS-to-self” was born.

CTS Flood

Remember, The AirMagnet Wi-Fi Analyzer describes how hackers use CTS floods as follows, “A wireless denial-of-service attacker may take advantage of the privilege granted to the CTS frame to reserve the RF medium for transmission. By transmitting back-to-back CTS frames, an attacker can force other wireless devices sharing the RF medium to hold back their transmission until the attacker stops transmitting the CTS frames.” Because all STAs obey the CTS rule and also because CTS frames have no source MAC address, hackers love this attack. Please do follow the advice and go look for the hacker just to be sure but maybe something else is going on instead.


CTS-to-self is a protection mechanism (a method for protecting your frames from collision). A STA wants to talk so he does away with the RTS/CTS handshake altogether and just sends himself a CTS frame. No one wonders about the source of the frame and everyone allows that STA a time slot to send his/her data. However, in our example, this is completely unnecessary if protection is unneeded. If, for example, there is no one to protect the OFDM modulated traffic from.

Thus until the “b” STA walks in there are no CTS frames. The second he joins the AP everyone goes mad with CTS-to-self. In fact the “b” doesn’t even have to be on the same AP, just in range.

“Wait a gosh darn minute!” you yell, “That isn’t a DoS attack. That is a naturally occurring condition of the network. No hackers are bringing me down”. While this might be true, there may not be a hacker DoS’ing you, you are, never the less, definitely under a DoS attack. Especially if the 1800 CTS Frames/minute threshold is reached. This is because at 1800frames/minute you reach the 30fps value needed to cause a sever reduction in throughput. You are being denied access to the medium because you are waiting for your slot time to speak and it never arrives because everyone wants a slot time. You are being denied service. Now isn’t that the definition of a DoS attack?

Monday, August 16, 2010

How to (really) find a Rogue AP

I want to tackle a problem that most people think of having been solved a long time ago. Rogue Access Points (I can almost hear the groans). Seriously, it deserves another look. Why? Well, to be truthful, I think when trying to track down and physically remove the AP, most people do it wrong.

While almost every infrastructure vendor has a method for the determination and mitigation of an unauthorized access point, what they cannot do is physically remove the device from your premises. No WLAN WIPS robot has yet been created to go out to a facility and track down exactly where a rogue is and then pick it up and deposit it in a dumpster or ask the owner to please take it home or whatever it is your security policy says you should do when one of these is found.

Instead, we rely on both our infrastructure and a variety of laptop or handheld based software tools to assist us in this task and then we send a real flesh and blood person out to do this. This is where the major mistakes are usually made.

Every person I have met that has this task as one their responsibilities have told me the following, “I want to use a wifi adapter with a directional antenna to find the device. Just point it and it will tell me where to go.” This is wrong. Let me say that again, WRONG!

Let me explain why.

Let’s take one of the “flag” antennas that are fairly popular now (fig. 1).

Fig. 1

 Inside the plastic shell of this device is a Yagi-Uda antenna, commonly called a “yagi”. This is a fancy name for the type of antenna that televisions used to use before cable and satellite. Here is an example of what a yagi looks like without a shell (Fig. 2).

Fig. 2

Antennas professionals use a pattern diagram to describe the sensitivity pattern for the antenna. The diagram shows a pattern view from above and from the side (Fig. 3).

Fig. 3

The left view is looking down on the antenna from above known as the azimuth view and the right view is from the side and is known as the elevation view. This illustrates the amount of gain this antenna gets in any particular direction.  The problem here is when you start to use a high gain (in this case 8dBi) antenna indoors you get some strange effects due to the lobes described by the diagram above.

Here is an example. You are determined to remove a Rogue AP physically from your building. You stand in the building and aim your antenna. As you sweep left and right you watch the signal strength of your rogue finding tool. In this case we will use the find tool in the AirMagnet Wi-Fi Analyzer (Fig. 4).

Fig. 4

You monitor the signal strength and figure that when you are aiming right at the AP it will be the strongest. The graph will be at a peak and the meter will show the highest signal strength. However the signal is herky-jerky and very difficult to know when you are aiming right at the Rogue. Sometimes it is high when you are way over to the right and sometimes it is just as high when you are pointing to the left. Why is that? Shouldn’t it just be obvious when you have the device in your sights? No. Let me show you why.

As you aim your directional antenna the gain field of the antenna sweeps out ahead of you and you get a high reading as expected when pointing right at it (Fig. 5).

Fig. 5

Then as you sweep away to the right the signal drops when you hit the gap between the primary and secondary lobe (Fig. 6).

Fig. 6

Then the signal jumps up again as you enter the second lobe (Fig. 7).

Fig. 7

Also it may jump again as the signal bounces off of the walls and reflect back towards you (Fig. 8) since when you aim directly at the Rogue AP the signal is attenuated by the internal walls but the signal reflected back to you is clear.

Fig. 8

You see the directional antenna with a very high gain can be fooled. A user may spend 20 minutes trying to track down this device sweeping left and right trying to find the correct direction.

There is a better way. I will show you how to find a Rogue AP in just a minute or two and as a bonus you get some great exercise as well.

The key here, counter-intuitively, is to use an omnidirectional antenna and walk very fast. The technique is quick and accurate. You will find the rogue in less than a minute, whereas with the previous method it may take many minutes or more.

The first step is to stand at the edge of the building and walk perpendicular to the wall. It is very important that you walk fast as the graph you will be watching will be jiggling around and you will need to be able to observe a distinct change to the graph which will be easier the faster you walk. Keep your eye on that graph and when it peaks and starts to decline, stop and back up to the area where it peaked (Fig. 9).

Fig. 9

Now turn 90° to either the right or left and start walking that direction quickly as well. If your signal immediately declines, reverse your course and walk the other direction (Fig. 10).

Fig. 10

Once again, when the signal peaks and starts to decline, turn 90° and walk quickly. In this way, you will box in on your objective and be able to walk right up to it and remove it (Fig. 11).

Fig. 11

I think once you have tried this method you will be extremely pleased with the result. If you have tried to use a directional antenna to find a Rogue AP in the past, you will know that you can spend quite a great deal of time aiming your antenna before you even try to move towards the device. Then when do start to move around the results are hard to determine and you tend to move slowly and carefully. This method that I have described is fast and efficient and enables you to quickly find your problem Rogue AP.

Our AirMagnet class instructor has taught over 5000 students how to use this method and it really is more efficient.  Try it out and let me know what you think.