Skip to content

mk-fg/tcp-connection-hijack-reset

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits

COPYING

COPYING

 
 

README.md

README.md

 
 

tcp-connection-hijack-reset.py

tcp-connection-hijack-reset.py

 
 

Repository files navigation

tcp-connection-hijack-reset

Simple scapy + iptables/ipsets + nflog tool to hijack and reset existing TCP connections (for both ends), established from other pids.

Purpose is not some malicious DoS attacks but rather kicking hung state-machines in otherwise nice software, while making the whole thing look like a random net hiccup, which most apps are designed to handle.

If NFLOG is used (to get packets that should not pass netfilter, for instance), requires scapy-nflog-capture.

Usage

  • Create "conn_cutter" ipset: ipset create conn_cutter hash:ip,port

  • Create "conn_cutter" chain (some lines wrapped):

     -A conn_cutter ! -p tcp -j RETURN
 -A conn_cutter -m set ! --match-set conn_cutter src,src -j RETURN
 -A conn_cutter -p tcp -m recent --set --name conn_cutter --rsource
 -A conn_cutter -p tcp -m recent ! --rcheck --seconds 20\
 	--hitcount 2 --name conn_cutter --rsource -j NFLOG
 -A conn_cutter -p tcp -m recent ! --rcheck --seconds 20\
 	--hitcount 2 --name conn_cutter --rsource -j REJECT --reject-with tcp-reset

    Note that due to one global "recent" netfilter tag used above, only one connection can be cut in 20 seconds (others will pass through this chain unharmed).

    This is done in case of rare pids which may bind() outgoing socket to a constant port, so that packets of the reconnection attempt from the same port won't get matched and pass.

  • Update "OUTPUT" chain:

     -I OUTPUT -j conn_cutter

    That should be strictly before rules like --state RELATED,ESTABLISHED -j ACCEPT.

  • Run: tcp-connection-hijack-reset.py conn_cutter --pid 1234 --debug

    Will pick single TCP connection of a specified pid (or raise error if there's more than one) and cut it, with a lots of noise about what it's doing (due to "--debug").

  • Result: both endpoints should reliably get single RST packet and connection closed promptly.

See this post on more details about what it all means and why it's there.

Similar tools

  • dsniff - has "tcpkill" binary that does very similar thing.

  • tcpkill - standalone tcpkill tool from dsniff.

  • cutter - aims to solve similar problem, but on a router box (seem to work with conntrack tables only), and with some strange methods (generating noise on connection to get seq, which doesn't seem to work at all).

About

Simple scapy-based tool to hijack and reset existing TCP connections

Topics

python networking tcp attack scraps scapy ipset nflog

Resources

Readme

License

WTFPL license
Activity

Stars

23 stars

Watchers

3 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages