This [1] explains well their technique.

TL;DR: send deauth packages to every wireless network with a signal strong enough to be considered within your premises.

[1] https://www.techdirt.com/articles/20141003/12083628721/fcc-f...

By telling their access points to send deauth requests to all devices that aren't on their networks.

And yup, 802.11 tells devices to deauth even when receiving unencrypted deauth requests from access points the device expects to be encrypted.

Deauth packets are normally sent in the clear even for encrypted networks, though 802.11w is supposed to fix that eventually.

I do IT for a few hotels and I've never found this feature useful. While I agree it's useful to be able to control RF noise (by annoying someone enough with the deauth packets that they turn off their tethering), it's difficult to differentiate between nearby businesses and homes vs. someone tethering on-site.

There are two approaches for hotel Wifi.

One is to make a network that's so good people will pay to use it.

The other is to make a network that's average, but intentionally make other networks worse, so that people will pay to use yours.

Since you're reading HN, I imagine your strategy is the first. Hence, you don't see the need to interfere with other users of the spectrum.

Sounds like someone is/will get a nice business out of selling tiny little "wifi killer" devices that just continuously sends deauth's to everyone, that can be plugged into some well hidden outlets somewhere when you're not happy with them...

Thankfully some enterprise equipment (I can only speak of Meraki access points) can detect such attacks. So, you could localize (to a degree) where such an attack was coming from based on the AP locations.

Can you just use their ssid, if you're the strongest signal your device should prefer yours?

Enterprise access points typically look for APs that are not theirs but are using the SSID and send deauths for that. That's an actual legitimate use of deauth. (If you're using encryption, then a rogue AP can't impersonate the real network without knowing the encryption key. But public networks tend to be open for convenience. So some trickery is necessary to provide a little extra safety for users.)

Wifi clients are notoriously awful at roaming. You would think they would prefer the strongest signal, but they seem to select randomly, no doubt depending on driver/firmware versions and bugs. If you've ever used an enterprise WiFi network where roaming works, it's because the APs talk to each other, make a selection as to which AP is best for you to talk to, and then deauth you from the APs that you shouldn't be talking to. So deauths are actually essential to making Wifi work well. The problem in this case is that Marriott is going above and beyond industry best practices and is just trying to kill _everyone_'s Wifi, presumably for their own financial gain. That's a violation of FCC rules, so they're trying to have the rules changed.

Meanwhile, I can just operate my network under Part 97 instead of Part 15 and it would still be illegal for them to intentionally or unintentionally interfere. Though Part 97 Wifi is a bit of a grey area.

I used to work at a company that provided WiFi service at apartment complexes around 10 years ago. I ended up just assigning every access point a different SSID for each access point to reduce the amount of counterproductive roaming. Some drivers were way better at AP selection than others.

Detect rogue access points and spam them with deauth packets?