Wireless Deauthentication Attack
A denial-of-service attack targeting Wi-Fi clients by sending forged deauthentication management frames that force devices to disconnect from a wireless network. The attacker does not need the network password β only the MAC addresses of the access point and the target device, plus proximity to the wireless signal. The attack can be directed at a single device or broadcast to disconnect all clients simultaneously. Can be repeated continuously to prevent reconnection. Requires the attacker to be within wireless range. Fixed by 802.11w Protected Management Frames in 802.11ac and newer networks.
802.11 Management Frames
Control messages used by IEEE 802.11 wireless networks to coordinate communication between clients and access points. They handle operations including: discovering nearby access points (beacon/probe frames), connecting to a network (authentication/association frames), managing quality of service, and disconnecting from a network (disassociation/deauthentication frames). These frames operate transparently in the background and are never directly visible to users. In early 802.11 implementations, all management frames were transmitted in plaintext with no encryption or authentication β enabling forgery-based attacks.
Deauthentication Frame
A specific type of 802.11 management frame that signals the termination of a client's authentication with an access point, forcing the client to disconnect. In normal operation, deauthentication frames are sent by either the AP or client when ending a connection. In a deauthentication attack, the attacker forges these frames (spoofing the AP's MAC address) and sends them to the target client, causing it to disconnect. Without 802.11w, neither the client nor the AP can verify the frame's authenticity. With 802.11w, deauthentication frames are cryptographically protected and forged frames are rejected.
Protected Management Frames (802.11w)
An IEEE 802.11 amendment, formally published as 802.11w, that adds cryptographic protection to certain critical management frames by encrypting and authenticating them. Adopted in July 2014 and required in 802.11ac networks. Protected frames include: deauthentication, disassociation, and channel switch announcements. These frames are now verified with a message integrity code (MIC) β a forged frame without the correct MIC is rejected by the receiving device. Frames that remain unprotected (by design): beacons, probe requests/responses, authentication frames, and initial association frames β because these must be exchanged before encryption is established.
airodump-ng
A passive wireless network monitoring tool (part of the Aircrack-ng suite) that captures 802.11 management frames to identify all access points and associated client devices within wireless range. Used as the reconnaissance phase of a deauthentication attack: the attacker runs airodump-ng to discover the BSSID (MAC address) of the target access point and the MAC addresses of all connected client devices. Output includes the SSID, BSSID, channel, signal strength, and connected device list for all APs in range. Running airodump-ng requires a wireless adapter capable of monitor mode.
aireplay-ng
An active wireless attack tool (part of the Aircrack-ng suite) that injects packets into a wireless network. Used in deauthentication attacks to continuously transmit forged deauthentication frames targeting a specific client or an entire network. Key flags: -0 (deauthentication attack mode), followed by the AP's BSSID and optionally the target client's MAC address. When no client MAC is specified, the broadcast address is used, kicking all associated clients simultaneously. The attack continues until stopped, preventing the target(s) from maintaining a wireless connection.
RF Jamming (Radio Frequency Jamming)
A physical-layer denial-of-service attack that disrupts wireless communication by transmitting interfering radio signals on the same frequency as the target network. Unlike deauthentication attacks (which exploit a protocol flaw), RF jamming attacks the physical medium β the radio signal itself. The attacker's interference raises the noise floor, reducing the signal-to-noise ratio until legitimate wireless devices cannot distinguish the AP's signal from background noise. Effective against all wireless standards regardless of protocol-level security (802.11w does not protect against jamming). Requires the attacker to be physically nearby. Intentional RF jamming is illegal in most jurisdictions.
Signal-to-Noise Ratio (SNR)
A measure of signal quality: the ratio of the intended wireless signal's strength to the background noise level. High SNR = clear signal, reliable communication. Low SNR = noisy channel, unreliable or failed communication. RF jamming attacks deliberately lower the SNR by adding noise β either random interference, continuous jamming signals, or high volumes of legitimate-looking frames β until legitimate devices cannot decode the AP's transmissions. SNR degradation is measured in decibels (dB); a drop of 10 dB corresponds to a tenfold reduction in signal quality relative to noise.
Constant Jamming
A jamming technique that continuously transmits a signal β random data, legitimate-looking frames, or pure noise β on the target frequency without interruption. The simplest and most detectable form of jamming: a spectrum analyzer will show continuous elevated noise on the affected channel at all times, making detection and localization easier. However, its constant nature makes it highly effective at disrupting communication since there is never a quiet window for devices to transmit. Detected via spectrum analysis as persistent elevated noise on one or more channels.
Random Jamming
A jamming technique that transmits interference at unpredictable intervals rather than continuously. The randomized timing makes it more difficult to detect, diagnose, and distinguish from ordinary wireless congestion or intermittent interference. Network monitoring may show sporadic connectivity issues without a clear pattern, complicating root cause analysis. More energy-efficient than constant jamming. Harder to locate because the signal is not continuously present, requiring prolonged monitoring periods to capture enough samples for triangulation.
Reactive Jamming
The most sophisticated jamming technique: the jammer remains completely silent during idle periods but immediately transmits interference the moment it detects a legitimate wireless device beginning to transmit. When the network is quiet, no jamming signal exists β spectrum analysis shows nothing unusual. The moment a device tries to communicate, the jammer responds, making communication impossible. Particularly efficient (minimal transmit time) and difficult to detect (no constant signal to find). The network appears intermittent β working briefly after a period of silence, then failing when traffic volume increases.
Fox Hunting (Wireless)
The process of physically locating the source of a jamming or interference signal using directional antennas, signal attenuators, and triangulation. Borrowed from amateur radio terminology, where hidden transmitter hunts are a recreational competition. Process: (1) use a directional antenna to determine the approximate direction of the signal source; (2) move toward the signal; (3) as proximity increases and the signal strengthens, use an attenuator to reduce signal strength so directional detection remains precise; (4) repeat and triangulate to pinpoint the exact location. Requires the investigator to be mobile and physically present near the signal source β but since jamming requires proximity, the attacker is also physically near.