Skip to main content
Version: 1.2.2

DEAUTH_FLOOD

Summary#

More deauthentication or disassociation frames than usual were recorded. The expected number of frames can be different in any environment and is configured in your nzyme.conf file at deauth_monitor.global_threshold. Deauthentication attacks are an attempt to force a device to disconnect from a legitimate access point and re-connect to a rogue access point controlled by an attacker. Such attacks can also be used for jamming, rendering the WiFi environment unusable through mass disconnections. Note that deauthentication and disassociation frames are an important part of WiFi communication and their occurrence is normal. This is why you have to find and configure a threshold that defines at what level an attack might be taking place.

Congiguration#

For this alert to be enabled, you need to configure the deauth_monitor.global_threshold variable in your nzyme.conf file. Learn more about it in the Configuration Reference.

Let nzyme run for 24 hours and look at the deauthentication frame count chart on the web interface dashboard/homepage. Use that information to find out what a normal rate is and set the deauth_monitor.global_threshold variable accordingly.

Possible False Positives#

  • Your threshold may be configured too low and normal deauthentication/disassociation activity in your network is causing the alert.