Hacking & Solutions: 802.11 Protocol Attacks, Deauthentication

Hacking & Solutions: 802.11 Protocol Attacks, Deauthentication

By CWNP On 02/19/2008 - 22 Comments

This article is presented as part of hacking + solution track for Wireless Security Expo 2008.

Deauthentication is the most common form of 802.11 protocol denial-of-service (DoS) attack.  After watching the Deauthentication video, you can see that performing this type of attack takes seconds using common and user-friendly software and hardware, can wreak havoc on a network, and can be used as part of other types of wireless network attacks.  Deauthentication frames are considered notifications, not requests, which means any associated station or AP that receives a deauthentication frame must comply.

802.11 stations must authenticate themselves through "Open System Authentication" prior to requesting a connection.  Following successful authentication (consisting of two acknowledged authentication frames), the client station will then request association (connectivity).  The association request frame is followed by an association response frame.  Each of these frames are also acknowledged.  

The next steps depend on the type of security in use on the WLAN and determine just how intrusive a deauthentication attack will be.  If the WLAN is using only Open System authentication, then a deauthentication attack will yield a very minor interruption for client stations.  The reason for this is that the authentication and association process is extremely fast.  When deauthenticated, a client station must reauthenticate and reassociate, but this entire process  takes only a few milliseconds to complete.  If the WLAN is using WEP with Open System authentication, the same process would apply.

If the WLAN is using WPA/WPA2-PSK, then a 4-way handshake (plus 4 ACK frames) will follow the acknowledged association response frame.  This process is fairly fast (roughly an additional 20-30 ms), but added to the Open System authentication and association, it can easily add up to 50 ms (total) when adding in contention time.  If a single AP is used, this won't be a big problem, but a deauthentication like this may also cause a client station to roam.  Roaming requires passive and active scanning, which could add 1-3 seconds to the process.  This additional time can easily disrupt many applications.

If the WLAN is using 802.1X/EAP and not using Opportunistic PMK Caching (not widely supported in client utilities), deauthentication can cause a disruption of 0.5 - 5 seconds depending on the specific EAP type in use, scanning processes, and the 4-way handshake.  802.1X/EAP authentication mechanisms are almost always deployed in enterprise WLANs.  Any application that is latency sensitive will suffer dramatic problems when the client station is deauthenticated.  File transfers, voice/video streams, thin-client sessions, and other real-time applications will often break when disrupted for more than 0.5 seconds.

The 802.11w amendment to the 802.11-2007 standard offers three new security pieces: Data Origin Authenticity, Replay Detection, and Management Frame Protection.  The data origin authenticity mechanism defines a means by which a station that receives a management frame (such as a deauthentication frame) can determine which station transmitted the data or management frame.  This feature is required to prevent an intruder from masquerading as an authorized station.  The replay detection mechanism defines a means by which a station that receives a management frame from another station can detect whether the received frame is an unauthorized retransmission.  Management frame protection is required to protect against forgery and eavesdropping on management frames such as Action, Disassociate, and Deauthenticate frames through the use of security keys.

Most of today's WLAN infrastructure systems do not support management frame protection, and until they do, deauthentication attacks will remain a significant security problem.  

22 Responses to Hacking & Solutions: 802.11 Protocol Attacks, Deauthentication

Subscribe by Email
Caroline Flack Says:
03/05/2018 at 09:18am
I was experiencing the same issue like deauthentication so I contacted an expert of Coursework Writing
04/12/2010 at 09:04am
[...] hi, deauthentication [Aircrack-ng] scroll down to section: Why does deauthentication not work? Hacking & Solutions: 802.11 Protocol Attacks, Deauthentication | CWNP - Enterprise Wi-Fi Career ... deauth must work on PS3, even with the latest release 3.21! /brtw2003 Reply With [...]

07/12/2008 at 14:56pm
It's working.But
How can I find IP??

03/12/2008 at 09:05am
very very advance and enjoy with


03/03/2008 at 13:43pm
Another method that is pretty disruptive is to send the deauth frame to the AP (posing at the client...). Often times, the client will not be aware that it has been deauth'ed and send a packet to the AP. Then, the AP will have to tell the client it's association is no longer valid and the whole process is started as describer above...

02/25/2008 at 16:10pm
I really enjoyed this series on wireless security !
Thanks for your effort in putting it together

02/21/2008 at 11:15am
Do not see\play the video

02/20/2008 at 06:02am
The writeup was scholarly and a person must be a techno saavy to understand the it If the video had opened it woud have been much better

02/20/2008 at 00:17am
Presentation was very informative....Great job to Jeff on the presentation :)

02/19/2008 at 21:34pm

02/19/2008 at 20:43pm
Very good info so far. I can only watch after I get home in the afternoon, but because you have made this available continuously, I don't miss a thing.
OUTSTANDING IDEA! Hope to see many more in the future.

Brad Stanfield, CISSP-ISSEP

02/19/2008 at 19:53pm
I have enjoyed this broadcast!Thank you very much!!!

02/19/2008 at 18:28pm
I found the event very informative :) Great job to Jeff on the presentation :)

02/19/2008 at 14:36pm
First time listening to a LIVE broadcast with you guys. I enjoyed all of it very much.

02/19/2008 at 14:27pm
Very informative.

02/19/2008 at 14:27pm
WTF? The video cut off the speaker. I also thought this was a live webinar event..

02/19/2008 at 14:24pm
I wonder if the 802.11w will require significant HW upgrade or just some firmware upload.

02/19/2008 at 14:24pm
We have a problem with the currently-posted "Deauthentication" video. We are working on it right this minute and will have it resolved shortly. Sorry for the inconvenience.



02/19/2008 at 14:13pm
I found this to be very informative, but the video Devin put together seemed a bit short. He was still in the middle of speaking at the end when it cut off. Will the rest of the video be available soon?

02/19/2008 at 14:03pm
it is ok.

02/19/2008 at 14:01pm
Very good

02/19/2008 at 13:21pm
I think this is good and powerful. but may we see soon good solution for deauthentication attacks

<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More