WiFi Deauthentication Attacks Explained

A WiFi deauthentication, or, in short, a “deauth” attack, can be destructive by itself or part of a larger malicious campaign. Luckily there are ways to detect such attacks, even if this is not always easy.

We recommend to read the Deauthentication Frames Explained knowledge base article if you are not familiar with what WiFi deauthentication frames are.

Two Types of Deauthentication Attacks

There are two general types of deauthentication attacks:

  • Use for jamming: Continuously deauthenticating all clients in range will effectively prevent any WiFi connections to be established. Hardware cost for this can be as low as $10 and hardware for it is readily available.
  • As part of a larger WiFi attack campaign: Targeted deauthentication of clients can be used to force the station to connect to another access point that is under control of the attacker. A social engineering angle in this pattern includes the use of deauthentication frames to annoy a human so much that they start to manually look for other available networks - and those could be under attacker control.

Attack Type: Jamming

Sending a deauthentication frame to any normal WiFi client will disconnect it from the network it is currently connected to. This is because a deauthentication frame is not a request, but an instruction. It cannot be refused or negotiated.

Denying WiFi communication in a certain area can be done with expensive and not readily-available hardware that interferes with the WiFi radio frequency spectrum. A much easier way for an attacker to accomplish this goal is to constantly send deauthentication frames to all devices in range. There are “deauth boards” that can be bought online for $10-20 and ship immediately. To make this worse, those devices are very small (they fit into your pocket) and can be powered with a tiny battery.

Detecting Jamming Attacks

Jamming attacks will leave one big clue that you can look for: The amount of deauthentication frames during an ongoing attack will be significantly larger than during normal operation.

Find out how many deauthentication frames you record per minute on average and alert whenever there is a significant enough outlier. It is perfectly normal to not see any deauthentication frames for a long time, depending on how busy your WiFi environment is and how many connected clients are in range.

It is also a very good idea to monitor expected deauthentication traffic for several days and be prepared for false positive detections in the beginning. It can be normal to see spikes and it’s your job what a “normal” spike is.

Screenshot of nzyme deauthentication monitor
The nzyme deauthentication monitor

Attack Type: Targeted Deauthentication

A more targeted deauthentication, like only deauthenticating a few selected devices in carefully planned intervals is often part of a larger WiFi attack campaign.

Let’s imagine the following scenario: An attacker is targeting a called “ACMECorp” and has set up their own access point that advertises a WiFi called “ACMECorp_WiFi_New”. The attacker’s goal is for certain high-risk employees to connect to that access point. The problem is that they have no reason to connect to that access point and they are most likely automatically connecting to the legitimate corporate WiFi networks.

The attacker may choose to deauthenticate the targeted devices. If successful, the users of those devices will notice that they were disconnected and try to re-connect to the corporate WiFi. The attacker monitors this activity and deauthenticates the devices again, shortly after they re-connected.

The users may end up frustrated, assume there is a problem with the corporate WiFi and look for other networks to connect to because they have to get their work done. This is the moment they find the attacker network “ACMECorp_WiFi_New” and connect to it. Now the attacker sits in the middle of all their communications and has a working rogue access point in their hands.

Detecting Targeted Deauthentication

Unfortunately, it can be very hard to detect such targeted deauthentication attacks because of their lower volume of frames in comparison to normal network operations.

There are some methods to apply anomaly detection to unexpected client/access point combinations and their individual volume but those tend to have very high false-positive rates. The WiFi environment is extremely chaotic and it’s hard to reliabily find outliers.

Instead, we recommend to look at other signals of the larger attack campaign instead: Use a system like nzyme to detect rogue access points early. There are many ways to detect such attacks, including detecting unusual signal characteristics, similar looking SSIDs or restricted substrings in SSIDs.

Looking for low amounts of unusual deauthentication frames is often not worth the effort and results in a very bad false-positive ratio, leading to alert fatigue.

Preventing Deauthentication Attacks

You cannot prevent deauthentication attacks per se, because they are exploiting an important part of the WiFi protocols that you cannot just turn off, ignore or disable. Everyone with the right equipment and proximity to you can perform such an attack.

However, you can deploy an intrusion detection system with wireless functionality, like nzyme, to physically locate and stop the source of the attack.

Are Deauthentication Attacks Illegal?

Deauthentication attacks are illegal in most countries and often fall under jamming laws. Remember that standard deauthentications frames are a normal part of WiFi operations and usually not malicious.

This is of course not legal advice, and you should always consult a lawyer.

Found a problem?
Did you find a mistake or think something can be improved? You can file issues on GitHub, join the nzyme Discord or post in the discussion forums to provide your feedback. Thank you so much!