Disassociation notification received - possible foul play?

Jouni Malinen j at w1.fi
Wed Jun 6 08:05:18 EDT 2012 

On Tue, Jun 05, 2012 at 01:34:34AM +0100, Michael Zintakis wrote:
> After connecting to my AP, sometimes - seemingly at random intervals - I 
> get my device disconnected. Getting a full debug log was very difficult 
> due to the fact that this happens seemingly at random intervals and it 
> is very unpredictable, but it always happens after 4way handshake with 
> the AP is completed.

You would need to take a look at the driver you are using to figure out
why it indicated disconnection.

> The way I look at this, my STA is receiving "Disassociation 
> notification" (from where I don't know!) and then disconnects. I don't 
> know enough in order to judge whether this is deliberate action done by 
> somebody or is simply a "glitch" or bug in the system, though there is 
> no doubt that this "intermittent" disconnection is very annoying as it 
> disrupts my device (I am running a lot of things on it, which require 
> constant network traffic). Any ideas what could be the cause of this and 
> whether there is a potential for foul play?

Either the AP disconnected the station explicit (sending
Deauthentication/Disassociation frame) or the local driver determined
that the connection was lost, e.g., based on missing some Beacon frames
from the AP. You seemed to be using the old WEXT driver interface which
does not provide enough details to wpa_supplicant to know what happened
and as such, you would need to look at the driver debug information to
check what exactly happened.

> A couple of other related queries: If I am able to get my wireless on 
> the client to run in 802.11w mode (the AP is already fully configured to 
> run and supports such mode), I am guessing events like the one I listed 
> above would become a thing of the past, is that correct?

Only if someone is indeed injecting a Deauth/Disassoc frame to attack
the system.. It is much more likely that something else is causing the
driver to believe the connection was lost and as such, enabling
management frame protection is unlikely to change this in any way.

> If I am *not* able to do that for whatever reason, would it be possible 
> to alter the wpa_supplicant source code to "ignore" these 
> "Disassociation" notifications?

It would not help at all to make wpa_supplicant ignore those since the
association was lost at the driver and ignoring that event will just
make the local state not match between the driver and wpa_supplicant
(and the data connection would be down since the driver is not
associated at this point).

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list