TCP Reset Injection
What is TCP Reset Injection?
TCP Reset InjectionAn attack that forges TCP RST segments matching an existing connection so endpoints abruptly close it, breaking or hijacking the session.
TCP reset injection abuses the design of TCP, where a packet bearing the RST flag and an acceptable sequence number forces both endpoints to tear down the connection. An attacker who can observe or guess the four-tuple (source/destination IP and port) and a valid window sequence number - by sniffing the link, by being on-path, or via off-path inference - can inject a spoofed RST that ends the session. The technique is used by some nation-state censors to block specific TLS handshakes, by IDS/IPS to terminate detected attacks, and by attackers wanting to disrupt streaming, BGP or SSH sessions. Defenses: encrypt sessions end-to-end (TLS, IPsec), use the TCP MD5/AO option for BGP, enable TCP timestamps and sequence-number randomization, and monitor for RST anomalies.
● Examples
- 01
Off-path RST injection by a state-level adversary to break specific TLS connections.
- 02
An IPS sending RSTs to both ends to tear down a detected SQL-injection flow.
● Frequently asked questions
What is TCP Reset Injection?
An attack that forges TCP RST segments matching an existing connection so endpoints abruptly close it, breaking or hijacking the session. It belongs to the Attacks & Threats category of cybersecurity.
What does TCP Reset Injection mean?
An attack that forges TCP RST segments matching an existing connection so endpoints abruptly close it, breaking or hijacking the session.
How does TCP Reset Injection work?
TCP reset injection abuses the design of TCP, where a packet bearing the RST flag and an acceptable sequence number forces both endpoints to tear down the connection. An attacker who can observe or guess the four-tuple (source/destination IP and port) and a valid window sequence number - by sniffing the link, by being on-path, or via off-path inference - can inject a spoofed RST that ends the session. The technique is used by some nation-state censors to block specific TLS handshakes, by IDS/IPS to terminate detected attacks, and by attackers wanting to disrupt streaming, BGP or SSH sessions. Defenses: encrypt sessions end-to-end (TLS, IPsec), use the TCP MD5/AO option for BGP, enable TCP timestamps and sequence-number randomization, and monitor for RST anomalies.
How do you defend against TCP Reset Injection?
Defences for TCP Reset Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for TCP Reset Injection?
Common alternative names include: TCP RST attack, RST injection, Connection reset attack.
● Related terms
- attacks№ 554
IP Fragmentation Attack
A family of network attacks that abuses IP fragmentation - overlapping, undersized, or oversized fragments - to crash hosts, evade IDS/IPS, or trigger denial of service.
- attacks№ 062
ARP Spoofing
A local-network attack that sends forged ARP messages to bind the attacker's MAC address to another host's IP, redirecting traffic through the attacker.
- attacks№ 865
Promiscuous Mode
A network-interface mode in which the NIC delivers every frame on the wire to the operating system, enabling passive sniffing of traffic on a shared or mirrored segment.
- attacks№ 1016
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
- attacks№ 343
DNS Spoofing
An attack that injects falsified DNS responses to redirect victims from a legitimate domain to an attacker-controlled IP address.