Wireless Deauthentication Attacks

Wireless Security Series Part I: Deauthentication Attacks by AirMagnet Intrusion Detection Research Team

Deauthentication attacks are easy to perform and highly malicious attack. This type of attack can target either a specific station or multiple stations and prevent them from connecting to the wireless network.

Here are the basics of deauthentication attacks:

Deauthentication frames
Deauthentication frames are classified as management frames in the 802.11 specification, and are used to disconnect stations and access points (APs). An AP can send the deauthentication frames as well as the Station. Generated through the Aircrack-ng suite, MDK3, Void11, Scrapy, and Zulu, they’re created to terminate the secured connection between devices.

How deauthentication attacks work
Deauthentication attacks are fairly easy to do. Why? Because management frames are often unencrypted or unauthenticated. And because spoofing management frames is trivial and there are many tools to perform them, in a poorly secured network, these attacks are a simple entry for further damage.

These attacks work in two ways: 1) The attack targets the client or station or 2) the attack targets the access point. See this image on how the authentication request works:

In the scenario of the attack targeting the client or station, the attacker’s intent is to keep the client from connecting to a specific AP. To accomplish this, the attack either must spoof the MAC address of the access point or transmit the deauthentication frames using the BSSID of the access point with a destination of the clients’ MAC address.

The other option is the attacker targeting the AP. If the attacker chooses this route, the intent is to keep everyone off the targeted access point. In order for this to happen, the attacker must first spoof the MAC address of the targeted access point. Then, the deauthentication frames are transmitted with the BSSID of the access point and the destination as the broadcast address.

Impact of deauthentication attacks on enterprise wireless networks
There are two main impacts on large-scale WLAN networks if they face a deauthentication attack. First, employees may be denied service. This means that clients cannot connect to the internal WLAN network, productivity is lost, and there is even potential revenue loss.

Worse, a deauthentication attack can be the first stage in a multi-stage attack. They can be used to capture the WPA 4-way handshake (used to encrypt traffic) or to force the user into a honeypot AP (look out for our next Wireless Security Series post on honeypot attacks). They can also be used to recover a hidden SSID, and even generate ARP frames for a WEP replay attack.

Thankfully, these attacks are not unmanageable or blind to a prepared security system. A WIPS/WIDS system like AirMagnet Enterprise can specifically detect these attacks, preventing major enterprise damage. To watch a live demo of how AirMagnet Enterprise is notified of these attacks, alerts IT staff of the attack, and provides specific information about the targeted stations and access points, watch the new video from AirMagnet here.