Can someone take down Wi-Fi signal?

There's a lot of ways you can attack a WiFi without knowing any passwords:

  • Physical layer attacks: Simply jam the frequency spectrum with your own signal. That signal might just be noise, but it might also be a WiFi of your own under heavy load, with the nodes in that WiFi being configured not to play nice with others. (depending on the WiFi chipset, that can be extremely easy) Spectrum can only be used once!
    Tool: noise source (e.g. Gunn Diode, SDR device), or normal AP
  • Electromagnetic sledgehammer: EMI gun. Take microwave oven oscillator, attach directive antenna, pray you don't cook someone's (your) brain, and point in the rough direction of the access point. Poof! Microwave ovens operate in the 2.4 GHz band, and thus, antennas of Access Points are picking up exactly that energy.
    Tool: Microwave oven, some sheet metal, lack of regard for other people's property and own health, or extended RF knowledge
  • MAC and Network layer attacks: Especially for networks using WEP (noone should be using this anymore, but sadly...) it's easy to forge what is called deauthentication packets – and thus, to throw out stations from your WiFi.
    Tool: Aircrack-NG's aireplay
  • Targetted jamming: As opposed to simply occupying the channel with noise or your own WiFi, you can also build a device that listens for typical WiFi packet's beginnings (preambles), and then, just shortly, interferes. Or just sends fake preambles periodically, or especially when it's silent. That way, you can corrupt selected packets, or fake channel occupancy.
    Tool: Commodity off-the shelf SDR
  • authentication attacks: at some point, even "proper" clients for your WiFi need to register with the WiFi. That mechanism can of course be forced to its knees by simply sending hundreds of authentication requests every second, from randomly generated MAC addresses, or even from MAC addresses of clients you know (by observation) exist. There's no solution to the problem for the AP – either it succumbs to the overload of auth packets, or it starts blocking out legitimate users.
    Tool: your network card, 10 lines of bash scripting
  • Man-in-the-Middling / access point spoofing: With anything short of WPA(2)-Enterprise, nothing proves that the access point calling itself "Toduas AP" is actually your Access Point. Simply operating a slightly higher-powered access point with the same ID string and, if necessary at all, a faked AP MAC address (trivial, since just a setting), will "pull" clients away from your access point. Of course, if the spoofing Access Point doesn't know the password, users might quickly notice (or they don't); however, noticing things don't work is nice, but doesn't help them.
    Tool: a random normal access point

You have to realize that it's a privilege, not a right, to have your WiFi use a channel. WiFi happens in the so-called ISM bands (Industrial, Scientific, Medical usage), where operators of transmitters don't have to have an explicit license. That means it's OK for everyone to use that spectrum, as long as they don't intentionally harm other devices and are not easily damaged by interference.

So, it's absolutely legal for someone to operate a high-definition digital camera stream that occupies the whole WiFi channel. That will effectively shut down your WiFi.

If you need something that no-one can mess with, wireless is, by definition, not the way to go.


There are devices that you can buy that will 'jam' a Wi-Fi signal and make it unusable.

Also Wi-Fi has different 'channels' that they can be set to run on. If your Wi-Fi is running on a channel that is saturated due to lots of other Wi-Fi devices around you using the same channel then the performance of your connection will degrade the further you are from the device.


I have used cloning of ESSID and BSSID to do this (set BSSID with ifconfig wlanX hw ether xx:xx:xx:xx:xx:xx. Even if you don't output more power to the clients than their own AP, it will cause problems. Eventually they will notice that there's an AP with the same name of course.

Aireplay-ng deauth is more useful. If you are not interested in using too much time on this, use mdk or wifite which automate it. Mdk has whitelist/blacklist functionality for client link layer addresses.

Edit: The deauth attack is clearly visible with tcpdump's '-y foo' - unfortunately I don't remember the flag off-hand. You may need to set RFMON first (with e.g. airmon-ng check kill ; airmon-ng start wlanX $channel).

On OpenBSD it is '-Y IEEE802_11', on Linux it is similar.