Hardware Security

WiFi Deauthentication Detection Guide

A WiFi deauthentication detection guide — spot deauth floods with a WIDS, why 802.11w PMF and WPA3 help (and where they fall short, CVE-2023-21061), plus hardening.

A wireless antenna emitting a cyan signal with a red burst representing a deauthentication flood on a dark background

WiFi deauthentication detection comes down to counting management frames. A deauth attack is a flood of spoofed deauthentication or disassociation frames that forcibly disconnect clients — the building block behind evil-twin and handshake-capture attacks. The frames are unauthenticated in the original 802.11 standard, so they are trivial to forge; the upside for defenders is that a wireless IDS sees the flood plainly. This guide ships the detection, explains why 802.11w/WPA3 helps and where it falls short, and lists the hardening.

A deauth flood is endpoint/network denial of service — T1498 — Network Denial of Service — and it is usually a precursor to adversary-in-the-middle, T1557. Detecting it early flags the recon before the real attack lands.

What is a WiFi deauthentication attack?

A deauthentication attack abuses a design flaw in 802.11: management frames — including deauth and disassociation — are sent unauthenticated and unencrypted, even on a WPA2/WPA3 network that encrypts your data. An attacker spoofs the AP’s or a client’s MAC address and sends forged “you are disconnected” frames, knocking devices off the network. It needs no password and no association.

The disconnect is rarely the end goal. It forces clients to reconnect, which an attacker uses to capture a WPA2 handshake for offline cracking, or to push them onto an evil-twin AP. That is why deauth detection is early warning for a larger attack.

What does a deauth attack look like, and what defends against it?

ElementDetailDefensive implication
Forged frame typesDeauth, disassociation (management)Count them per BSSID/client at the WIDS
Why it worksMgmt frames unauthenticated in legacy 802.11802.11w adds a MIC to close it
802.11w / PMFMIC on deauth/disassoc/action framesClients ignore forged frames
WPA3PMF mandatory (MFPR required)Strongest protection where supported
Residual riskPMF bypass research, CVE-2023-21061Keep monitoring + patch

The throughline: PMF is the prevention, a WIDS is the detection, and you need both because PMF has known limits and not every client supports it.

How to detect WiFi deauthentication attacks

Detection needs a sensor that sees 802.11 management frames — a wireless IDS/WIPS (Kismet, nzyme, or vendor WIPS). Feed its events to the SIEM and threshold the flood.

SPL Deauthentication Frame Flood From WIDS Telemetry
index=wids sourcetype=kismet:alert (frame_type=deauth OR frame_type=disassoc)
| bin _time span=1m
| stats count AS frames, dc(dest_mac) AS clients by _time, bssid
| where frames >= 50
| sort - frames

A spike of 50+ deauth/disassoc frames a minute targeting one BSSID — especially hitting many clients — is an attack, not normal roaming. Tune the threshold to your environment’s baseline. Even on a PMF-protected network, the attempt is hostile reconnaissance worth alerting on.

A second, proactive query confirms your networks actually negotiate PMF, by reading the RSN information element your sensor records from beacons:

SPL Networks Advertising PMF Disabled in the RSN IE
index=wids sourcetype=kismet:device type=AP
| eval pmf = if(match(rsn_capabilities,"MFPR|MFPC"),"enabled","disabled")
| search pmf="disabled"
| stats values(channel) by bssid, ssid

How to test your deauth detection

In a lab you own, on your own AP and an RF-isolated channel where possible:

  1. Generate deauth frames against your own test client and confirm the WIDS flood rule fires.
  2. Enable 802.11w (PMF) and confirm the test client stays connected during the flood — the control validating itself.
  3. Read the RSN IE from your AP’s beacon and confirm PMF shows required/optional as intended; confirm the “PMF disabled” query is empty for production SSIDs.
  4. Confirm a deauth attempt still alerts even when PMF prevents the disconnect.

How to harden against deauthentication attacks

  • Verify the RSN IE, do not assume — confirm PMF is actually negotiated.
  • Segment and monitor guest/IoT networks, which often lag on PMF support.
  • Treat deauth alerts as evil-twin/handshake-capture precursors, and pivot to WPA2 PMKID detection on alert.

Common deauth-detection mistakes

  • No 802.11 sensor. Standard network IDS (IP-based, like Suricata) never sees management frames; you need a WIDS/WIPS.
  • Assuming PMF = done. Known bypasses and unsupported clients mean monitoring still matters.
  • Not verifying the RSN IE. A network you believe is PMF-protected may not be.
  • Treating it as “just DoS.” It is usually the opening move of a bigger attack.

WiFi deauthentication detection checklist

  1. Deploy a wireless IDS/WIPS (Kismet, nzyme, or vendor) that captures 802.11 mgmt frames.
  2. Forward WIDS events to the SIEM; threshold deauth/disassoc floods per BSSID.
  3. Enable WPA3-only with MFPR=1 where supported; WPA2 + PMF optional for legacy.
  4. Query the RSN IE to confirm PMF is negotiated; alert on PMF-disabled SSIDs.
  5. Patch clients and APs for PMF-implementation flaws (e.g., CVE-2023-21061).
  6. Alert on deauth attempts even when PMF blocks them (hostile recon).
  7. Treat deauth alerts as evil-twin / handshake-capture precursors and pivot.
  8. Test detection and PMF in an authorized lab.

The takeaway

WiFi deauthentication detection is a WIDS counting forged management frames, backed by 802.11w/WPA3 to make the forgery ineffective and patching to cover PMF’s limits. Alert on the attempt, verify PMF is really on, and treat every deauth spike as the opening move of a larger wireless attack — often a rogue AP, covered in evil twin access points: defensive controls. Continue with WPA2 PMKID capture detection and HackRF defensive RF awareness, or browse the full Hardware Security pillar.

Training & tools referenced

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

  • TryHackMeAuthorized labs to build wireless security and monitoring skillsSecurity Training
    Start training

Frequently asked questions

How do you detect a WiFi deauthentication attack?

A deauth attack is a flood of spoofed deauthentication or disassociation management frames. Detect it with a wireless IDS (Kismet, nzyme, or a WIPS) that counts deauth frames per BSSID/client and alerts on a spike far above baseline. Even with 802.11w enabled, the attempt itself is a hostile-recon indicator worth alerting on.

Does 802.11w stop deauthentication attacks?

Mostly. 802.11w (Protected Management Frames) adds a Message Integrity Check so clients ignore forged deauth/disassoc frames, and it is mandatory in WPA3. But research has shown PMF is not bulletproof — CVE-2023-21061 is one example — so keep monitoring and patch clients and APs.

What is the difference between WPA3 and 802.11w?

802.11w (PMF) is the feature that protects management frames; WPA3 is the security generation that makes PMF mandatory. A WPA2 network can enable PMF optionally; a WPA3 network requires it. WPA3-only with MFPR=1 is the strongest deauth protection.

Why are management frames vulnerable?

In the original 802.11 standard, management frames (including deauth and disassociation) are sent unauthenticated and in the clear, even on WPA2/WPA3 data-encrypted networks. An attacker can spoof the AP or client MAC and forge a disconnect. 802.11w adds the integrity check that closes this.

Newsletter

Liked this breakdown?

Defensive security research — detection, hardening, and hardware — delivered when there is something worth saying. No spam, unsubscribe anytime.