TKIP Countermeasure caught in the wild!
Saturday, May 15, 2010 at 9:29AM
George

  

I want to share an event you may not see very often in the wild, TKIP countermeasure. 

What is a TKIP countermeasure and why is it important?
 
By deafult, Cisco WLCs and autonomous access points will suspend all TKIP traffic on a radio / ssid if a client sends 2 bad MICs in a 60 second period for a duration of  60 second. This is a measure that prevents the spoofing of frames by hackers.
 
Fully authorized wireless clients can occasionally send a bad MIC(s). In fact, a colleague of mine once had a bad wireless NIC that was notorious for throwing bad MICs. His machine was a walking "DoS" attack of sorts. LOL
 

The TKIP countermeasure is a configurable variable by SSID and can be disabled. I blogged about this in December of last year. The commands for both the WLC and Autonomous are below:


WLC - http://www.my80211.com/cisco-wlc-cli-commands/2009/12/29/configure-tkip-countermeasure-holdoff-timer-on-wlc.html
Autonomous - http://www.my80211.com/cisco-auton-cli-commands/2009/12/29/configure-tkip-countermeasure-holdoff-timer-on-autonomous.html

So what happen?

I was simply reviewing logs in WCS when an alert popped up. Once I seen 'MIC' in the header I thought right away, is this a TKIP countermeasure event and sure enough. I've since monitored the device to insure it wasnt a problem child.
NOTE: Cisco recommends to disabled TKIP Countermeasure on all Voice SSIDs.
 
Article originally appeared on my80211.com (http://www.my80211.com/).
See website for complete article licensing information.