/ GUIDE — NETWORK SECURITY

How do you detect a deauth attack?

You can’t read the frames off the air on Windows — but the pattern gives it away. And the disconnects usually aren’t the real goal.

You detect a deauth attack by its pattern: repeated disconnects from a network that’s still right there. A deauth flood forges the “you’ve been disconnected” frames WiFi never authenticated, knocking you off again and again. Several drops in a short window — while your real access point is still beaconing at strong signal — is not how normal roaming behaves.

The network is still right there — but something keeps knocking you off it.
YOUR AP
beacon −38 dBm
forged “deauth” frames
YOUR DEVICE
reconnecting
disconnect edges: 0 / 90s — watching
DEAUTH FLOODthe AP is still right there — but you keep getting kicked off
/ THE SIGNATURE

Disconnects while the AP is still strong

A deauth flood sends a stream of forged deauth or disassociation frames spoofed to look like they came from your access point. Your device believes them and drops, then reconnects — and gets knocked off again. The distinguishing feature isn’t just that you disconnect; it’s that you disconnect repeatedly while the real AP is still beaconing at strong signal. A weak signal drops you gradually; a deauth flood drops you sharply and often, with full bars.

/ THE REAL GOAL

It’s usually the setup for an evil twin

Denial of service is rarely the point. A deauth flood is almost always the setup for something worse: knock you off your real network so your device reconnects to an evil twin broadcasting the same name, or so it falls back to a network the attacker controls.

STEP 1
knocked off your real AP
STEP 2
device hunts to reconnect
STEP 3
lands on the evil twin
The twin broadcasts the same name — so the reconnect the flood forces is exactly where the attacker wants you.
THE REAL GOALdenial of service is rarely the point — it’s the setup for the twin
/ WHY WINDOWS SEES THE SYMPTOM

No monitor mode, so watch the effect

Windows can’t put a consumer WiFi card into monitor mode, so it can’t read the deauth frames off the air directly. Instead, detection watches your connection and counts connected→disconnected transitions: several in a short window, while your real AP is still strong, is raised as a suspected deauth attack. Disconnects the software causes itself — its own network-reset identity cycles — are suppressed so it never blames itself. (Dedicated Linux monitor hardware, by contrast, can read the frames directly.)

/ WHAT YOU CAN DO

Guard the reconnect

Here’s the honest part: no software on a normal WiFi card can stop the radio frames of a jammer. What it can do is tell you what’s happening instead of leaving you to wonder why your WiFi “keeps dropping,” and warn you the moment it looks deliberate. Because a deauth flood is so often the opening move for an evil twin, treat any network offering to reconnect you as suspect — and bring your traffic up inside an encrypted tunnel before you trust the connection again.

DISCONNECTS
×××
your real access point is still beaconing at strong signal — normal roaming doesn’t do this
connection dropped
RECONNECT GUARDwe can’t stop the radio frames — but we name the attack and treat the network offering you back as suspect
/ THE TOOL

Catching it automatically

WifiThreatWatch detects the symptom — repeated disconnects while your real AP is still beaconing strong — and raises a suspected deauth attack, suppressing the disconnects it causes itself. It’s your cue to be suspicious of the next network offering to reconnect you. Detection is free.

FREE FOREVERDeauth-attack detection is free, for Windows.

Go deeper: how we detect deauth floods · detecting the evil twin it sets up · the threats library

/ FAQ

Deauth attacks: quick answers

How do I know if I’m being hit with a deauth attack?

The signature is repeated disconnects from a network that’s still clearly there — your access point is beaconing at strong signal, but your device keeps getting kicked off and reconnecting. Normal roaming or a weak signal doesn’t behave that way. Several connected→disconnected transitions in a short window, while the real AP is still strong, is the tell.

What is a deauthentication (deauth) attack?

A deauth attack floods forged deauthentication frames to repeatedly knock your device off its WiFi. WiFi management frames like deauth were never authenticated, so a nearby attacker can forge them and tell your device, over and over, that it’s been disconnected. It’s usually not the goal itself — it’s the setup for forcing you onto an evil twin.

Can Windows detect deauth frames directly?

Not off the air — a consumer WiFi card on Windows can’t enter monitor mode, so it can’t read raw deauth frames. What you can detect is the symptom: repeated disconnects while the real access point is still beaconing strong. That heuristic catches the effect of the attack even without frame-level capture. Dedicated Linux monitor hardware can read the frames directly.

How do I stop a deauth attack?

You can’t stop the radio frames of a jammer with software on an ordinary WiFi card — anyone claiming otherwise is overselling. What matters is knowing it’s happening and being suspicious of the reconnect: because a deauth flood is so often the opening move for an evil twin, treat any network offering to reconnect you as suspect, and bring your traffic up inside an encrypted tunnel before trusting it.

If your WiFi keeps dropping,
know whether it’s an attack.