Monday, December 13, 2010

RTS/CTS and you!

Imagine the following scenario:

It’s 2005 and you are at a convention.

There are hundreds of Wi-Fi devices around you. There are tens of APs. Not your run of the mill Linksys or Dlink APs but real enterprise grade, controller based APs. You fire up you trusty AirMagnet Wi-Fi Analyzer and what do you see? Specifically you see 10 APs and 700 STAs. A little math later and you realize that there are 70 Wireless Mobile devices (STAs) per AP.

“That’s Crazy!” you scream in your head. There isn’t enough capacity on this 802.11b/g network. You are correct. Then you start to imagine what is really happening and how many of the STAs cannot see one another because the network was implemented at MAX power and many STAs talking to the same AP cannot “hear” one another. Collisions go up, retries go up. Throughput crumbles and dies on the floor.

But help is on the way, the WLAN admin enables RTS/CTS in the controller and people start to behave nicely. Each STA sends and RTS and waits for the CTS from the AP before speaking. Collisions diminish. Retries diminish. Throughput gets up off the floor and makes a go at it again and you see some overall improvement. It’s still not pretty but it is better. “Great work WLAN admin!” you say to yourself.

What just happened? AirMagnet WI-Fi Analyzer says, To deal with contention, “the IEEE 802.11 standard includes the RTS/CTS (Request-To-Send/Clear-To-Send) functionality to control the station's access to the RF medium. The wireless device ready for transmission sends a RTS frame in order to acquire the right to the RF medium for a specific time duration. The receiver grants the request by sending a CTS frame of the same time duration. All wireless devices observing the CTS frame should yield the media to the transmitter for transmission without contention.”


This also eliminates a hidden node issue. Again, the AirMagnet Wi-Fi Analyzer says, “A hidden station problem occurs when a wireless node cannot “hear” one or more of the other nodes, and thus the media access protocol (CSMA/CA - Carrier Sense Multiple Access/Collision Avoidance) cannot function properly. When this happens, multiple nodes will attempt to transmit their data over the shared medium simultaneously, causing signal interference with one another. For example, imagine there are two 802.11 end-users (Station A and Station B) and one access point. Station A and Station B can't “hear” each other because of high attenuation (e.g. substantial range), but they can both communicate with the same access point. Because of this situation, Station A may begin sending a frame without noticing that Station B is currently transmitting (or vice versa). This will very likely cause a collision between Station A and Station B to occur at the access point. As a result, both Station A and Station B would need to re-transmit their respective packets, which results in higher overhead and lower throughput.”


Turning on the RTS/CTS then allows the hidden node to function without collisions.

Its 2011 and you are at work

Now fast forward to today. You are sitting in your cubicle and trying to understand what you see on the screen of your AirMagnet tool. It says, “Denial-of-Service Attack: CTS Flood”. Here is the detail text:
Description: In channel 6 2.437GHz, the system has detected 1800 CTS frames in the last minute, which matches the traffic pattern of the form of denial-of-service attack, CTS (Clear-To-Send) attack. A wireless denial-of-service attacker may suspend the wireless media for communication by taking advantage of the privilege of CTS frame to reserve RF medium for transmission. By transmitting back to back CTS frames, an attacker can force other wireless devices sharing the RF medium to hold back its transmission until the attacker stops transmitting the CTS frames.
“Why would someone be Dos’ing us?”, You inquire. “And why this particular attack?”, you wonder. “And why did he tell me all that other stuff about contention first?”, You ask.

The answer is interesting but requires another scenario. Imagine the following. There is a room with an 802.11b/g AP in it (It doesn’t matter if it is controller based or autonomous). There are 20 STAs attached to the AP and they are all 802.11g devices. That means that all the management traffic (beacons, probe requests, probe responses, etc) are 1Mb/s CCK modulated and all data traffic is faster (6-54Mb/s) OFDM modulated. Are you with me so far? Good. Here is the fun part.

An 802.11b STA walks into the room. He only speaks 1Mb/s-11Mb/s CCK modulated data traffic. So he starts jabbering while the “g” clients are talking and creates a bunch of collisions. Why? Because he cannot “hear” OFDM modulation. He has no idea that the “g” STAs are talking.

“That’s silly”, you say, “The IEEE would never allow that to happen”. Correct you are, Padawan. They re-used a function they already had, specifically to deal with this. And as you have probably already guessed what it is - RTS/CTS. RTS and CTS frames are 1Mb/s CCK modulated so it is as if the “g” STAs all asked for contention slots to send data and the “b” STA heard the CTS and went quiet until it was his/her turn.

But why the alarm? Well, what really happened was that awhile ago various card manufacturers as well as the IEEE noticed a problem and a loophole in the RTS/CTS scheme.
  • The problem : most APs are usually not configured to do RTS/CTS. Also, STAs may not decide to use it.
  • The loophole: The CTS frame does not have a source MAC.
No one really knows who sent the CTS frame. It could be anyone. Thus, “CTS Flooding” and “CTS-to-self” was born.

CTS Flood

Remember, The AirMagnet Wi-Fi Analyzer describes how hackers use CTS floods as follows, “A wireless denial-of-service attacker may take advantage of the privilege granted to the CTS frame to reserve the RF medium for transmission. By transmitting back-to-back CTS frames, an attacker can force other wireless devices sharing the RF medium to hold back their transmission until the attacker stops transmitting the CTS frames.” Because all STAs obey the CTS rule and also because CTS frames have no source MAC address, hackers love this attack. Please do follow the advice and go look for the hacker just to be sure but maybe something else is going on instead.

CTS-to-self

CTS-to-self is a protection mechanism (a method for protecting your frames from collision). A STA wants to talk so he does away with the RTS/CTS handshake altogether and just sends himself a CTS frame. No one wonders about the source of the frame and everyone allows that STA a time slot to send his/her data. However, in our example, this is completely unnecessary if protection is unneeded. If, for example, there is no one to protect the OFDM modulated traffic from.

Thus until the “b” STA walks in there are no CTS frames. The second he joins the AP everyone goes mad with CTS-to-self. In fact the “b” doesn’t even have to be on the same AP, just in range.

“Wait a gosh darn minute!” you yell, “That isn’t a DoS attack. That is a naturally occurring condition of the network. No hackers are bringing me down”. While this might be true, there may not be a hacker DoS’ing you, you are, never the less, definitely under a DoS attack. Especially if the 1800 CTS Frames/minute threshold is reached. This is because at 1800frames/minute you reach the 30fps value needed to cause a sever reduction in throughput. You are being denied access to the medium because you are waiting for your slot time to speak and it never arrives because everyone wants a slot time. You are being denied service. Now isn’t that the definition of a DoS attack?

6 comments:

  1. Nicely done Bruce.

    You explained RTS/CTS very well. I'll have to share this link with my students!

    Keith

    ReplyDelete
  2. Thanks! Let me know if I got anything wrong.

    ReplyDelete
  3. i learned a lot. thanks!

    ReplyDelete
  4. Great--on the Internet informative blog posts like this keep on giving. This really gave me the clues I needed to fix a wireless problem at home.

    ReplyDelete
  5. Bruce,
    small correction to the sentence "the management traffic (beacons, probe requests, probe responses, etc) are 1Mb/s CCK modulated and all data traffic is faster (6-54Mb/s) OFDM modulated".

    Correction: Error is in the phrase "1Mb/s CCK modulated". Please note that 1Mbps is not CCK modulated . This is BPSK modulated. SO the phrase should be " 1Mb/s PSK modulated".

    ReplyDelete