[kismac] Re: Strange popup message?

  • From: Bob Cunningham <bob@xxxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Tue, 27 Jul 2004 16:02:31 -1000

That's it.  Details (for anyone interested):

All the APs are running WPA. One of the Cisco APs (most of the
stations associate associate with this one) keeps noticing TKIP MIC failures.


If it sees two MIC failureswithin 60 seconds, it applies a "MIC failure hold"
on its radio interface. That's not adjustable. It's probably part of the WPA
"specifications" ... presumably because the message integrity check failures
could be an attack symptom. The Cisco default MIC failure hold time is 60 seconds (which, fortunately is adjustable, because that controls how long the
radio interface is effectively disabled).


Interestingly, the Cisco AP isn't seeing any MIC failures itself.
Instead, it's getting reports of those from various stations; reports
properly encrypted in the then-current group key.

I'm pretty sure nothing is being attacked at this location. It's probably
just interference of some kind. Which ends up as a denial-of-service
thanks to the way APs handle WPA MIC failures ...



On Jul 27, 2004, at 1:03 PM, Michael Rossberg wrote:

Hi Bob,

the one minute thing can only mean that there was a MIC checksum failure. maybe the cisco and the airport are some how incompatible.

mick

On 27. Jul 2004, at 21:35 Uhr, Bob Cunningham wrote:

While testing a combination of Apple and Cisco access points on a network,
I was running kismac (in passive mode on an iBook), and this strange popup
appeared on several *other* folks' PowerBooks. Several times, on
several different PowerBooks, and yes, the wireless network did appear
to go down (several times) after the message(s) appeared:


<Picture 2.pdf>

I've never seen this before, nor did googling it turn up anything.
I strongly doubt kismac triggered it, but I'm not sure ...

Has anyone else seen this?  If so, do you know where it's
coming from and under what circumstances it's generated?


Other related posts: