Clients can't accociate - TKIP chop-chop attack?

  • 0
  • 1
  • Problem
  • Updated 4 years ago
  • Solved
Hello,

one of our customers has a v2110 controller with AP36xx. Since the beginning of this year they have several APs where clients are not able to (re) connect to. Only a reboot of the AP helps. Than clients are able to connect again.
This behaviour happens every few weeks and under higher load sometimes several times a day.

Many APs on different locations are affected.

The traces we took from the APs prior to reboot have the following log messages in common:
Info        05/28/14 07:15:35: Can't deflect TKIP chop-chop attack--no sta!

The software version is 8.11.06.0006-1

Are there any security procedures implemente which cause this issue or is it a bug?




Photo of Christoph

Christoph

  • 1,842 Points 1k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,514 Points 20k badge 2x thumb
Hello, 

The quick fix for this is to disable WPA1 and or Auto mode with WPA2. You should set WPA2-AES only. Here is an explanation of the attack - http://wirelessnetworkssecurity.blogspot.com/2013/01/wpa-attacks.html

There is a potential of false positives with clients that are having issues, these are usually driver related. 

-Doug


Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
Good security recommendation, Doug. If no devices require TKIP moving to AES only is a good choice.

If I remember right some client reconnect issues are fixed in newer firmware releases. The 8.11.06.x firmware is really not up to date. I would recommend you to update the firmware to version 8.21.x or 8.32.x. T

he 8.21.x tree is really stable (my experience in several customer installations).
Photo of Christoph

Christoph

  • 1,842 Points 1k badge 2x thumb
Many thanks for your answers.

We know the security limitations of TKIP. But Actually disabling TKIP is not an option. In future we are going to switch over to WPA2 with AES.

Today we did the update to 8.32.

Yet, I'm interest in how the APs behave in case of an TKIP chop-chop attack. Do you have any information on that?

Kind regards
Christoph


Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,514 Points 20k badge 2x thumb
In the past I have actually seen electrical interference cause the issue too because the wpa tkip keys were received out of order. It was an ap mounted to close to a florescent light ballast. If It's a hacker running chop chop or a bad client our AP's will defend against it by shutting off its radio for 30 seconds to deter the device from learning the key, this also prevents good users from working as well. 

-Doug
Photo of Christoph

Christoph

  • 1,842 Points 1k badge 2x thumb
Thank you Doug, the shutdown of the radio explains some effects.

Kind regards
Christoph

Photo of Volker Kull

Volker Kull

  • 1,830 Points 1k badge 2x thumb
Doug,

we use WPA2+AES in all WLAN services and see a lot of "chop-chop" Errors in the logs.
Is the shutdown caused by this event visible in a logfile ?
Can we disable the 30s radio shutdown function after this Event ?

br
Volker