Protecting against Virtual Jamming (RTS/CTS) attacks ?

Unanswered Question
Jan 28th, 2009

I am new to Wireless, and was wondering how Cisco products guard againts "Virtual Jamming" attacks where a station keeps sending RTS/CTS packets, and causes the NAV of all other stations to be reset.

I believe that the "Rouge AP" detection / prevention mechanism infact uses this very same method to block out rouge access points.

So what prevents a rouge station from doing the same ?

I am also not sure if this problem is eliminated in 802.11n due to its full-duplex like behaviour ??


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
George Stefanick Sat, 02/21/2009 - 10:34

802.11 uses CSMA/CA.

There are 2 ways a radio will sense the medium.

Physical Carrier Sense - is a mech that allows the radio to sense if there is transmissions on the channel

Virtual Carrier Sense - is the use of rts-cts and cts-to-self to reserve the network with NAV timers.

yes, you can do DoS attacks with the correct software to 'jam' the MAC later and not allowing ANY radios to talk at ALL.

Rogue detector with the WLC does not operate in this way. It simply spoofs the rogues access point BSSID and sends deauth frames telling surrounding clients not to attach.

gamccall Thu, 02/26/2009 - 06:59

Any RF communication can be jammed. It doesn't matter what you do with clever packet tricks; if someone puts enough noise on your channel then you have no wireless. There's nothing you can do about that other than have a good incident response plan.

That being the case, why worry about the RTS/CTS problem? That's worrying that your back door is unlocked when your front door can't be locked anyway.

George Stefanick Thu, 02/26/2009 - 08:14

Correct. You can jam the medium as you know. In fact there are may devices that are against FCCC regulations that can be used as 'jammers'. But as the poster mentioned he is new to wireless and had specific questions on virtual jamming.

Leo Laohoo Fri, 02/27/2009 - 18:13

It's called Rogue Containment. Using the WLC, you can "contain" a Rogue AP, Rogue Client and Ad-Hoc Rogue. A minimum of 1 AP to a maximum of 4 AP will contain any or all three of the abovementioned by sending De-Authenticate packets to the target. If there are more then 4 AP's available, a round-robin will ensure.

Under Wireles Protection Policy, Auto-Contain Rogue On the Wire (Rogue AP, Client or Ad-Hoc wired to your LAN) is disable by default.


This Discussion



Trending Topics - Security & Network