Proceedings of the International Conference on Pattern Recognition, Informatics and Mobile Engineering (PRIME) February 21-22, 2013 978-1-4673-5845-3/13/$31.00©2013 IEEE Simulation and Analysis of RTS/CTS DoS Attack Variants in 802.11 Networks PMD Nagarjun School of Information Technology & Engineering, VIT University Vellore, India. pmd.nagarjun@gmail.co m V Anil Kumar CSIR Centre for Mathematical Modelling and Computer Simulation, Bangalore, India anil@cmmacs.ernet.in Ch Aswani Kumar School of Information Technology & Engineering, VIT University Vellore, India. cherukuri@acm.org Ahkshaey Ravi CSIR Centre for Mathematical Modelling and Computer Simulation, Bangalore, India ahkshay@isim.net.in Abstract— Denial-of-Service attacks (DoS) have become a widespread problem on the Internet. These attacks are easy to execute. Low rate attacks are relatively new variants of DoS attacks. Low rate DoS attacks are difficult to detect since attacker sends attack stream with low volume and the countermeasures used to handle the high rate DoS attacks are not suitable for these types of attacks. RTS/CTS attack is one type of Low rate DoS attack. In this paper, we analyze RTS/CTS attack which exploits the medium reservation mechanism of 802.11 networks through duration field. We propose variants of RTS/CTS attacks in wireless networks. We simulate the attacks behaviour in ns2 simulation environment to demonstrate the attack feasibility as well as potential negative impact of these attacks on 802.11 based networks. We have created an application that has the capability to create test bed environment for the attacks, perform RTS/CTS attacks and generate suitable graphs to analyze the attack's behaviour. We also briefly discuss possible ways of detecting and mitigating such Low rate DoS attacks in wireless networks. Keywords—802.11 MAC Layer, Low rate Denial-of-Service attacks, RTS/CTS attack. I. INTRODUCTION The 802.11 standard specifies a common media access control (MAC) layer, which provides variety of functions that support the operation of wireless LANs. In general, the MAC layer manages and maintains communication between 802.11 stations by coordinating access to a shared radio channel and utilizing protocols that enhance communication over a wireless medium. The 802.11 MAC layer uses a dedicated physical layer, such as 802.11b or 802.11a, to perform the tasks of carrier sensing, transmission and receiving of 802.11 frames. The 802.11 wireless communications happens in two ways: Infrastructure mode and Ad-hoc mode. In Infrastructure mode, channel allocation between different nodes is controlled by a centralized node known as access point (AP). In Ad-hoc mode there is no designated centralized node to coordinate the channel allocation. In such cases, the channel allocation process is distributed among nodes. CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) [1] is the channel access mechanism used by most wireless LANs. The protocol starts by listening on the channel (this is called carrier sense), and if it is found to be idle, it sends the first packet in the transmit queue. If it is busy (either another node transmission or interference), the node waits till the end of the current transmission and then starts the contention timer (wait a random amount of time). When its contention timer expires, if the channel is still idle, the node sends the packet. In wireless networking, the hidden node problem or hidden terminal problem occurs when a node is visible from a wireless AP, but not from other nodes communicating with the AP. This leads to difficulties in media access control. A simple and elegant solution to this hidden terminal problem is to use Request to Send/Clear to Send (RTS/CTS) frames [2]. RTS/CTS is a handshaking mechanism to reserve the channel for a specific duration before actual data transfer starts. The frame formats for RTS and CTS are as shown in Fig. 2 and Fig. 3 respectively. Figure 1 shows the use of RTS and CTS with the Network Allocation Vector (NAV) value set [8]. After waiting for Distributed Interframe Space (DIFS) the sender issues a RTS packet. The RTS packet contains the duration of the whole data transmission. This duration specifies the time interval necessary to transmit the whole data frame and the acknowledgement related to it. Every node receiving this RTS now has to set its NAV in accordance with the duration field. The NAV specifies the earliest point at which stations can try to access the medium again. If the receiver receives the RTS, it replies with a CTS packet after waiting Short Interframe Space (SIFS) time. This CTS packet contains the duration field again and all stations receiving this packet from the receiver of the intended data transmission have to adjust their NAV. Now all the nodes within the receiving distance are informed that they have to wait for more time before accessing the medium. Basically this mechanism reserves the medium for one sender exclusively and hence the name, virtual reservation scheme [7]. II. RELATED WORK Vikram Gupta et al. [3] in their work exploited some of vulnerabilities existed in 802.11 MAC layer in wireless Ad-hoc environment. According to them the fundamental reason for DoS at MAC layer is due to the unfairness in media access, as well as the End-to-End authentication scheme in