tcpkiller

tcpkiller is a Python script with a narrow job: watch a network segment, find the TCP connections that belong to a chosen target, and tear them down. The repository describes it in one line: it will “sniff and kill all TCP connections for specific(s) target(s).”

The mechanism is one of the oldest weaknesses of TCP. A connection is identified by four numbers (source address, destination address, source port, destination port) and it can be ended by anyone who can forge a segment carrying those four numbers and a plausible sequence number. On a shared segment, where traffic can be observed, the four numbers and the sequence space are simply visible. tcpkiller watches for them and injects the segment that closes the connection. Nothing about the connection’s contents has to be broken; the connection only has to be seen.

That makes the tool two things at once. On a network you administer it is a blunt instrument for clearing sessions: forcing a client to reconnect, dropping something that has hung, testing how an application copes when a connection dies underneath it. As a demonstration it is an argument: it shows, concretely, that a cleartext TCP session on a shared link is held open only by everyone’s good behavior, and that the case for transport encryption and authentication is not abstract.

The repository’s TODO sketches where the idea goes next: forging ICMP “port unreachable” messages and TCP resets so the teardown appears to come from the router rather than from the host running the script. The theme does not change. The closer the forged packet looks to legitimate network infrastructure, the harder the disconnection is to attribute.

The source is on GitHub: github.com/dukptkey/tcpkiller. It should be pointed only at networks and hosts you are authorized to disrupt.