Header Only - DO NOT REMOVE - Extreme Networks

Clients can't accociate - TKIP chop-chop attack?

  • 4 June 2014
  • 6 replies
  • 411 views

Userlevel 3
Badge
Hello,

one of our customers has a v2110 controller with AP36xx. Since the beginning of this year they have several APs where clients are not able to (re) connect to. Only a reboot of the AP helps. Than clients are able to connect again.
This behaviour happens every few weeks and under higher load sometimes several times a day.

Many APs on different locations are affected.

The traces we took from the APs prior to reboot have the following log messages in common:
Info 05/28/14 07:15:35: Can't deflect TKIP chop-chop attack--no sta!

The software version is 8.11.06.0006-1

Are there any security procedures implemente which cause this issue or is it a bug?

6 replies

Userlevel 7
Hello,

The quick fix for this is to disable WPA1 and or Auto mode with WPA2. You should set WPA2-AES only. Here is an explanation of the attack - http://wirelessnetworkssecurity.blogspot.com/2013/01/wpa-attacks.html

There is a potential of false positives with clients that are having issues, these are usually driver related.

-Doug
Userlevel 4
Badge
Hello,

The quick fix for this is to disable WPA1 and or Auto mode with WPA2. You should set WPA2-AES only. Here is an explanation of the attack - http://wirelessnetworkssecurity.blogspot.com/2013/01/wpa-attacks.html

There is a potential of false positives with clients that are having issues, these are usually driver related.

-Doug

Good security recommendation, Doug. If no devices require TKIP moving to AES only is a good choice.

If I remember right some client reconnect issues are fixed in newer firmware releases. The 8.11.06.x firmware is really not up to date. I would recommend you to update the firmware to version 8.21.x or 8.32.x. T

he 8.21.x tree is really stable (my experience in several customer installations).
Userlevel 3
Badge
Many thanks for your answers.

We know the security limitations of TKIP. But Actually disabling TKIP is not an option. In future we are going to switch over to WPA2 with AES.

Today we did the update to 8.32.

Yet, I'm interest in how the APs behave in case of an TKIP chop-chop attack. Do you have any information on that?

Kind regards
Christoph
Userlevel 7
In the past I have actually seen electrical interference cause the issue too because the wpa tkip keys were received out of order. It was an ap mounted to close to a florescent light ballast. If It's a hacker running chop chop or a bad client our AP's will defend against it by shutting off its radio for 30 seconds to deter the device from learning the key, this also prevents good users from working as well.

-Doug
Userlevel 3
Badge
Thank you Doug, the shutdown of the radio explains some effects.

Kind regards
Christoph
Userlevel 4
Badge
Doug,

we use WPA2+AES in all WLAN services and see a lot of "chop-chop" Errors in the logs.
Is the shutdown caused by this event visible in a logfile ?
Can we disable the 30s radio shutdown function after this Event ?

br
Volker

Reply