(RST Injection)
Hunting
Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph
Goal
- Attacker spoofs source IP of one endpoint
- Crafts packet with:
- Correct 4-tuple (src IP, dst IP, src port, dst port)
- Valid sequence number (must be in window)
- RST flag set
- Sends RST to terminate connection
Important: Modern TCP stacks validate sequence numbers.
Blind RST injection is hard without sniffing.
So this is usually seen with:
- ARP poisoning
- On-path attacker (MITM)
- LAN attacker
Red Flags
- Sudden RST in active session (no FIN)
- RST not part of normal FIN/ACK teardown
- MAC/IP mismatch
- Sequence number anomaly
- Unexpected connection drop
Filters
# Find RST packets
tcp.flags.reset == 1
# Suspicious RST without prior FIN
tcp.flags.reset == 1 && tcp.flags.ack == 1
Killchain
- Active TCP session exists
- Attacker observes or guesses sequence number
- Spoofed RST packet injected
- Endpoint terminates connection
- No graceful FIN handshake observed
- Possible MAC/IP mismatch (LAN)