Michael Countermeasures tracing

Arseniy Chernov ars
Fri Nov 18 05:56:46 PST 2005


Hello Joshua,

> I see a few different possibilities where you would be experiencing
> Michael errors:
> 
> 1. An adversary is maliciously injecting malformed frames to DoS your
> network by triggering Michael countermeasures.  This isn't likely, as
> the attacker has to overcome the rules of sequence enforcement and
> maintaining the integrity of the ICV in order to make this happen.

Furthermore, there is noone in RF but domestic MSes, checked this many 
times already, logged kismet... Noone!

> 2. Faulty AP implementation - if your AP isn't following the correct
> order of steps to decrypt and verify the contents of an MSDU (e.g. they
> are checking the Michael hash before they check the ICV), then a corrupt
> frame could cause this condition.

The same revision/firmware APs are working great at another site - so I 
don't think this is up to D-Link. Seems more like it's a client.

> 3. Faulty client implementation - If your client has a software flaw, it
> is possible that they aren't recording the Michael hash properly, or are
> not calculating the Michael hash over the correct fields.  I'd imagine
> this is the most likely case here - what client software and card are
> you using for your station?

5 x Intel PRO Wireless 2200BG
1 x Ambit Microsystems 11b/g Wireless Network Adapter

As to the Intel, what I just found out is that they released a shiny new 
software in beginning of Novemer - so I'd rather re-install ALL drivers, 
ALL WLAN tools to the very-very-very latest ones and check the site again.

They claim:

ftp://aiedownload.intel.com/df-support/9563/ENG/Install%20and%20Support%20Notes.htm

issue 1658027 Intel? PROSet/Wireless software fails to correctly 
authenticate in a 802.1x environment after many roams

issue 1619573 WPA2-TKIP, WEP and WPA-AES,WEP encryption failure 
w/WPA2-AES+TKIP+WEP access point

This is something not very specific to my case, but they seem to have 
problems with WPA, anyway.

 > Thanks for sharing these details.

Thank you for taking time to clear my TKIP understanding.

I'll send a report about this issue, because this countermeasures thing 
were somewhat outstanding for me. I hope that was simply buggy Intel.

Cheers!



-- 
Regards,
Arseniy Chernov
e-mail: ars at itconnection.ru
phone: +7 812 320-9850





More information about the Hostap mailing list