WiFi deauthentication attacks represent one of the most common and disruptive layer 2 wireless network attacks. Attackers exploit the 802.11 management frames that lack authentication, sending forged deauthentication frames to disconnect devices from legitimate access points. Understanding how to detect and prevent these attacks is essential for network administrators, security researchers, and developers building resilient wireless infrastructure.
Understanding the Deauthentication Attack Vector
The 802.11 protocol requires clients and access points to exchange management frames for association, authentication, and disassociation. These frames are sent in plaintext and require no cryptographic verification, making them trivially easy to forge. An attacker with a WiFi adapter in monitor mode can inject arbitrary deauthentication frames targeting any connected client.
The attack works because the 802.11 standard does not require access points to verify that deauthentication requests originate from authenticated clients. A malicious actor simply needs to know the target client’s MAC address and the BSSID of the access point. Tools like Aircrack-ng and MDK3 automate this process, allowing attackers to disconnect entire networks with single commands.
This vulnerability affects both WPA2 and WPA3 networks. While WPA3 introduced Dragonblood protocol enhancements, deauthentication frames remain a problem due to backward compatibility modes that fallback to WPA2-style authentication.
Deauthentication attacks are commonly used as a precursor to more serious attacks. Disconnecting a client forces it to re-authenticate, during which the WPA2 four-way handshake can be captured and subjected to offline dictionary attacks. Attackers also use deauthentication to drive clients toward rogue access points advertising the same SSID, enabling man-in-the-middle interception.
Putting Your Interface into Monitor Mode
Before running any detection tooling, you need a wireless interface that can capture all 802.11 frames, including management frames not addressed to your device. Not all adapters support monitor mode—chipsets from Atheros, Ralink, and Realtek (specifically RTL8812AU) are widely supported on Linux.
# Check available wireless interfaces
iwconfig
# Bring the interface down and set monitor mode
ip link set wlan0 down
iwconfig wlan0 mode monitor
ip link set wlan0 up
# Alternatively, use airmon-ng (part of Aircrack-ng suite)
sudo airmon-ng start wlan0
# This creates wlan0mon as the monitor interface
On macOS, you can enable monitor mode on the built-in WiFi adapter through the Wireless Diagnostics tool or using airport:
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en0 sniff 6
This captures frames on channel 6. Specify the channel your target network operates on.
Detecting Deauthentication Attacks with Scapy
Python developers can use Scapy, a powerful packet manipulation library, to build custom detection systems. Install Scapy with pip:
pip install scapy
The following script monitors for abnormal deauthentication frame rates:
#!/usr/bin/env python3
from scapy.all import *
from collections import defaultdict
import time
class DeauthDetector:
def __init__(self, threshold=10, window=60):
self.threshold = threshold
self.window = window
self.packets = defaultdict(list)
def analyze(self, pkt):
if pkt.haslayer(Dot11) and pkt.type == 0 and pkt.subtype == 12:
src = pkt.addr2
dst = pkt.addr1
bssid = pkt.addr3
timestamp = time.time()
self.packets[src].append(timestamp)
self.packets[dst].append(timestamp)
self.prune_old_packets()
for client, times in self.packets.items():
if len(times) > self.threshold:
print(f"[ALERT] High deauth rate from {client}: {len(times)} frames")
print(f" Target: {dst}, BSSID: {bssid}")
def prune_old_packets(self):
current = time.time()
for client in list(self.packets.keys()):
self.packets[client] = [
t for t in self.packets[client]
if current - t < self.window
]
if not self.packets[client]:
del self.packets[client]
def packet_handler(pkt):
detector.analyze(pkt)
detector = DeauthDetector(threshold=5, window=30)
print("Monitoring for deauthentication attacks... (Ctrl-C to stop)")
sniff(iface="wlan0mon", prn=packet_handler, store=0)
Run this script with your wireless interface in monitor mode. The detector maintains a sliding window of deauthentication frames and triggers alerts when the threshold is exceeded. Adjust the threshold based on your network’s typical disassociation patterns.
Reading Deauthentication Reason Codes
The 802.11 specification defines reason codes that appear in deauthentication frames, indicating why the disconnection occurred. Legitimate disconnections typically carry specific reason codes, while attacks often use reason code 7 (Class 3 frame received from nonassociated station) or reason code 1 (Unspecified reason) because automated tools default to these values.
| Reason Code | Meaning | Attack Indicator |
|---|---|---|
| 1 | Unspecified | Possible (tool default) |
| 2 | Previous auth no longer valid | Possible |
| 3 | Station deauthenticated (leaving) | Normal during disconnects |
| 6 | Class 2 frame from unauth station | Possible |
| 7 | Class 3 frame from unassoc station | Common in attacks |
| 8 | Station disassociated (leaving BSS) | Normal |
A burst of reason code 7 frames from a source MAC that does not match your access point’s BSSID is a strong indicator of a spoofed deauthentication attack.
Using Bettercap for Real-Time Monitoring
Bettercap provides a more attack detection framework with built-in WiFi module support. Install it and run the WiFi reconnaissance:
brew install bettercap # macOS
sudo bettercap -iface wlan0
Within the Bettercap interactive session, enable WiFi monitoring:
wifi.recon on
set wifi.show.filter "deauth"
events.stream on
Bettercap displays deauthentication frames in real-time, distinguishing between normal disconnections and attack patterns. The tool also supports automated deauthentication detection with custom Lua scripts for enterprise deployments.
Preventing Deauthentication Attacks
While completely eliminating deauthentication vulnerabilities requires hardware-level changes to the 802.11 protocol, several mitigation strategies reduce attack effectiveness.
Enable 802.11w Protected Management Frames
Most modern access points support 802.11w, which cryptographically signs management frames including deauthentication packets. Enable this feature in your access point’s firmware:
# Example for OpenWrt configuration
uci set wireless.radio0.encryption='psk2+ccmp'
uci set wireless.radio0.ieee80211w='2'
uci commit wireless
wifi
Setting ieee80211w to 2 enforces mandatory protection. Clients without 802.11w support cannot connect, which may cause issues with older devices.
If mandatory mode causes compatibility problems, setting ieee80211w to 1 enables optional protection. Devices that support 802.11w will use it, while legacy devices can still connect. This provides partial mitigation while maintaining backward compatibility.
Deploy Wireless Intrusion Prevention Systems
Enterprise networks benefit from WIPS solutions that detect and counteract deauthentication attacks. Options include:
- Ekahau: Enterprise WiFi planning and monitoring
- Aruba Networks: Built-in rogue AP detection and containment
- OpenWrt with hostapd-wpe: Open-source alternative for Linux access points
Implement Network Segmentation
Separate guest networks from production infrastructure. Attackers targeting guest networks cannot reach critical systems. Use VLANs to isolate IoT devices from workstations:
# OpenWrt VLAN configuration example
uci add network switch_vlan
uci set network.@switch_vlan[-1].device='switch0'
uci set network.@switch_vlan[-1].vlan='10'
uci set network.@switch_vlan[-1].ports='0t 2 3 4'
uci add network switch_vlan
uci set network.@switch_vlan[-1].device='switch0'
uci set network.@switch_vlan[-1].vlan='20'
uci set network.@switch_vlan[-1].ports='0t 5 6'
uci commit network
Client-Side Protections
Users can protect themselves by configuring devices to reconnect automatically or by using Ethernet connections for sensitive operations. On Linux with NetworkManager:
nmcli con modify "YourSSID" wifi.powersave ignore
This prevents the system from entering power-saving mode that triggers additional disassociation frames.
Additionally, avoid networks with weak pre-shared keys. Even if an attacker successfully captures the four-way handshake triggered by a deauthentication attack, a strong passphrase makes offline dictionary attacks infeasible. WPA2 passphrases should be at least 15 characters with mixed character classes, and WPA3-Personal SAE mode raises the bar further by providing simultaneous authentication of equals with resistance to offline cracking.
Building Attack Detection into Applications
Developers integrating wireless security into applications can use the Aircrack-ng suite programmatically. The following bash script logs deauthentication activity for analysis:
#!/bin/bash
INTERFACE="wlan0mon"
LOGFILE="/var/log/deauth-detector.log"
airodump-ng "$INTERFACE" --write-prefix deauth_log --output-format csv &
DUMP_PID=$!
While true; do
if [ -f "deauth_log-01.csv" ]; then
DEAUTH_COUNT=$(grep "deauth" "deauth_log-01.csv" | wc -l)
if [ "$DEAUTH_COUNT" -gt 10 ]; then
echo "$(date): Possible attack detected - $DEAUTH_COUNT frames" >> "$LOGFILE"
fi
fi
sleep 5
done
Integrate this monitoring with alerting systems like Prometheus or Grafana for real-time dashboard visibility.
Integrating Detection with SIEM Platforms
For organizations running security information and event management platforms, deauthentication detection events should feed into your central event pipeline. Structured log output makes correlation easier:
import json
import logging
from datetime import datetime
def log_deauth_event(src_mac, dst_mac, bssid, reason_code, frame_count):
event = {
"timestamp": datetime.utcnow().isoformat(),
"event_type": "wifi_deauth_detected",
"source_mac": src_mac,
"target_mac": dst_mac,
"bssid": bssid,
"reason_code": reason_code,
"frame_count_in_window": frame_count,
"severity": "high" if frame_count > 20 else "medium"
}
logging.warning(json.dumps(event))
SIEM rules can then correlate deauthentication events with subsequent authentication failures or rogue AP appearances on the same channel, providing richer attack context than raw frame counts alone. If you observe a burst of deauthentication frames followed within seconds by a new SSID appearing with the same name as your network, you are almost certainly witnessing a coordinated evil twin attack setup.
Related Reading
- How to Protect Yourself from Evil Twin WiFi Attack Detection
- Email Tracking Pixel Detection
- VPN TLS Fingerprinting: How Censors Identify VPN Protocols
- Best VPN for Using Google in China Without Detection
- China Golden Shield Project How Censorship Detection Works T
Built by theluckystrike — More at zovo.one