3

I am learning about Deauth attacks and how they work. I see that the Deauth frame has a reason code which indicates the reason for the deauth. I have tested the attack with aircrack-ng and this reason code always translates to "Class 3 Frame received from non associated station". Do other attack tools have the ability to spoof/tamper the reason code or is it always the same?

Second part of my question is about post attack scenario. Victim can black list the MAC which sent the Deauth frames but that MAC will be of the legitimate Access Point or another client. What are the options for a victim ?

Sanib Thiki
  • 31
  • 1
  • 3
  • To clarify further I want to ask, is it safe to assume that de-auth flood attacks will use the same reason code i.e "Class 3 Frame received from non associated station" ? – Sanib Thiki May 20 '14 at 15:37

1 Answers1

1

Based on code from http://www.sans.org/reading-room/whitepapers/wireless/programming-wireless-security-32813 , I would say that, yes, other attack toolkits can change the reason code.

One option for the victim is to use Protected Management Frames: http://en.m.wikipedia.org/wiki/IEEE_802.11w-2009

PlasmaSauna
  • 574
  • 3
  • 6
  • Thanks. Although as far as options for victim are concerned, I am well aware of the idea to use 802.11w. What I want to know is a possible reaction for a network which is using pre 802.11w standard. – Sanib Thiki May 21 '14 at 13:34
  • Ah! In that case, there's nothing reasonable you can do in cyberspace, beyond loggin the event. In meatspace, at least, you could try a directional antenna... Have you read http://security.stackexchange.com/questions/20219/preventing-deauthentication-attacks ? Also, if you have any more details about your situation (e.g., being unable to upgrade your infrastructure to use 802.11w), can you edit them into your question? – PlasmaSauna May 22 '14 at 01:50