Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / TRANSPORT LAYER / TCP

Connection Termination

(RST Injection)


Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Goal

  • Attacker spoofs source IP of one endpoint
  • Crafts packet with:
    • Correct 4-tuple (src IP, dst IP, src port, dst port)
    • Valid sequence number (must be in window)
    • RST flag set
  • Sends RST to terminate connection

Important: Modern TCP stacks validate sequence numbers.
Blind RST injection is hard without sniffing.

So this is usually seen with:

  • ARP poisoning
  • On-path attacker (MITM)
  • LAN attacker

Red Flags

  • Sudden RST in active session (no FIN)
  • RST not part of normal FIN/ACK teardown
  • MAC/IP mismatch
  • Sequence number anomaly
  • Unexpected connection drop

Filters

# Find RST packets
tcp.flags.reset == 1

# Suspicious RST without prior FIN
tcp.flags.reset == 1 && tcp.flags.ack == 1

Killchain

  • Active TCP session exists
  • Attacker observes or guesses sequence number
  • Spoofed RST packet injected
  • Endpoint terminates connection
  • No graceful FIN handshake observed
  • Possible MAC/IP mismatch (LAN)