Wireless Protocols

Deauthentication

/dee-aw-then-tih-KAY-shun/
Within the IEEE 802.11 standard, deauthentication is the management-frame mechanism (frame subtype 12) that an access point or a station uses to terminate an existing authenticated relationship and push the peer back to the unauthenticated, unassociated state. The frame carries a 2-octet reason code and, in legacy Wi-Fi, is sent in plaintext with no cryptographic integrity, which makes it trivial to spoof. Because a single forged frame addressed to the broadcast MAC can disconnect every client on a BSS, deauthentication is the basis of the classic deauth flood denial-of-service attack and a core consideration in Wi-Fi security design. The 802.11w amendment closes this hole by adding a Message Integrity Check to management frames.
Frame subtype: 12 (0b1100)
Frame type: Management (00)
Reason code field: 2 octets

How Deauthentication Frames Tear Down an 802.11 Link

The 802.11 connection lifecycle is a three-state machine. A station begins in State 1 (unauthenticated, unassociated), advances to State 2 after open-system or SAE authentication, and reaches State 3 (authenticated and associated) once the access point accepts an association request. A deauthentication frame is a one-way notification, not a request, that collapses the relationship directly back to State 1. There is no negotiation: the receiver acknowledges the frame at the MAC layer and then drops all keying material, including the pairwise transient key derived during the WPA2 or WPA3 four-way handshake. The client must restart authentication from scratch, which on a busy enterprise network can mean a 200 ms to 2 s reconnection gap per event.

Because deauthentication is a management frame, it rides on the same control and basic-rate machinery as beacons and probe responses. In legacy networks it is transmitted with the Protected Frame bit cleared, meaning it is never encrypted and carries no integrity tag. An attacker sniffing in monitor mode reads the BSSID and client MAC addresses straight out of the unencrypted 802.11 header, then forges a deauth with the access point as the spoofed source. The victim cannot distinguish the forgery from a legitimate frame, so it complies. This asymmetry, a defender who must protect every frame versus an attacker who needs only one, is what made deauth flooding the dominant Wi-Fi jamming technique long before RF-layer jammers became common.

Reason Codes and the Broadcast Knock-Off

Every deauthentication frame carries a reason code that tells the peer why the link was dropped. Reason 1 (unspecified), reason 2 (previous authentication no longer valid), reason 3 (station leaving), and reason 7 (Class 3 frame received from a nonassociated station) are the values seen most often in capture traces. Attackers usually pick reason 7 because it mimics what an access point legitimately sends to a confused client. The frame can target a single client MAC or the broadcast address FF:FF:FF:FF:FF:FF, and the broadcast form is what enables a whole-BSS denial of service from one transmitted packet.

Detection, Throughput Impact, and the 802.11w Fix

Wireless intrusion detection systems flag deauthentication storms by counting frames per second against a baseline; a healthy network rarely exceeds 1 to 2 deauth frames per minute per BSS, so a rate above roughly 10 per second is a strong indicator of an attack. The 802.11w amendment, mandatory under WPA3 and Wi-Fi 6 certification, protects unicast deauth and disassociation frames with a Message Integrity Check and adds the SA Query handshake to validate that a client is still present, neutralizing the forged broadcast flood that legacy networks could not stop.

Deauthentication Frame Timing and Attack Math

Frame transmission time (basic rate):
tframe = tPHY + (LMAC × 8) / Rbasic ≈ 192 μs + (26 × 8 bits) / (1 Mbit/s) ≈ 192 μs + 208 μs ≈ 400 μs

Sustainable forged-frame rate (one adapter):
fdeauth ≈ 1 / (tframe + DIFS + backoff) ≈ 1 / (400 μs + 50 μs + 310 μs) ≈ 1,300 frames/s

Reconnection duty cycle (denial of service):
D = treconnect / (treconnect + tinterval) ≈ 1.0 when tinterval < treconnect

Where LMAC ≈ 26 octets for a deauth frame (24-octet header plus 2-octet reason code), tPHY ≈ 192 μs is the long-preamble plus PLCP-header time at 1 Mbit/s DSSS, Rbasic is the basic data rate (1 to 6 Mbit/s), DIFS ≈ 50 μs, and treconnect is 0.2 to 2 s for a WPA2/WPA3 client. Even one 100 mW adapter sustaining roughly 100 forged frames/s keeps D ≈ 1, a full outage, while using under 1% of channel airtime.

Deauthentication Versus Related 802.11 Teardown Mechanisms

FrameSubtypeState after receiptForces new handshake?Protected by 802.11w?Typical use
Deauthentication12State 1 (unauth, unassoc)Yes (full auth + 4-way)Yes (unicast MIC)Forced disconnect, deauth flood
Disassociation10State 2 (auth, unassoc)No (re-associate only)Yes (unicast MIC)Graceful roam, load balancing
Association request0Toward State 3n/aNoJoining a BSS
Authentication11State 2n/aNo (SAE has own protection)Open / SAE auth exchange
Beacon8No changeNoNoBSS advertisement
Common Questions

Frequently Asked Questions

What is the difference between a deauthentication frame and a disassociation frame?

Both tear down a link, but at different states. A disassociation frame (subtype 10) ends only the association and leaves the station authenticated in State 2, so it can re-associate without re-running authentication. A deauthentication frame (subtype 12) drops the station all the way to State 1, forcing full re-authentication and a fresh WPA2/WPA3 four-way handshake. Both carry a 2-octet reason code, and either can be sent unicast or to the broadcast address FF:FF:FF:FF:FF:FF.

How does a deauth flood attack work and how fast can it disconnect a client?

In legacy 802.11, deauth frames are unencrypted and unauthenticated, so an attacker reads the BSSID and client MAC from plaintext headers in monitor mode and spoofs the access point as the source. One forged frame is enough to drop a client; tools send bursts of 5 to 64 frames per target every 10 to 100 ms. The frames are tiny (about 26 bytes) and sent at 1 to 6 Mbit/s basic rates, so even a 100 mW adapter sustains a continuous outage without knowing the passphrase.

Does 802.11w protected management frames stop deauthentication attacks?

Yes. 802.11w adds Management Frame Protection: unicast deauth and disassociation frames carry a Message Integrity Check, so spoofed frames fail the MIC and are discarded, and a faked broadcast deauth triggers an SA Query that confirms the real client is present. PMF is mandatory in WPA3 and Wi-Fi 6 certification and optional in WPA2. It does not protect pre-association open-system frames, so a few early-stage attacks remain, but it eliminates the classic broadcast deauth flood.

Wireless Test Components

Build a Robust Wireless Link

From WPA3-ready access infrastructure to the front-end filters and amplifiers behind resilient 802.11 systems, our engineering team can spec the RF hardware your secure wireless design needs.

Get in Touch