📜 ⬆️ ⬇️

Working method for breaking a specific active connection from the linux command line (drop / kill / cut / close ESTABLISHED connection)

Sometimes it is necessary to forcibly break an active connection. The most common way:

netstat -na
kill PID

The problem is that one worker can simultaneously serve several connections, so it would be more correct to kill the connection and not the worker. For this, many forums recommend using tcpkilll , cutter or awk + hping3 . However, even though these utilities are in the official repositories, I could not get them to break the connections.

After a long search, the perl killcx script was discovered, breaking the connection to the remote host and port.

[PARENT] checking connection with []
[PARENT] found connection with [] (ESTABLISHED)
[PARENT] forking child
[CHILD] interface not defined, will use [eth0]
[CHILD] setting up filter to sniff ACK on [eth0] for 5 seconds
[CHILD] hooked ACK from []
[CHILD] found AckNum [3091573605] and SeqNum [3105164779]
[CHILD] sending spoofed RST to [] with SeqNum [3091573605]
[CHILD] sending RST to remote host as well with SeqNum [3105164779]
[CHILD] all done, sending USR1 signal to parent [13723] and exiting
[PARENT] received child signal, checking results...
=> success : connection has been closed !

For his work requires a whole set of libraries.

apt-get install \
libpcap0.8 \
libpcap-dev \
libnet-pcap-perl \
libyaml-perl \
libyaml-dev \
libyaml-0-1 \


cpan -i \
Net::RawIP \

wget http://citylan.dl.sourceforge.net/project/killcx/killcx/1.0.2/killcx-1.0.2.tgz
tar xvfz killcx-1.0.2.tgz
cd killcx-1.0.2/
cp killcx /usr/bin/

Source: https://habr.com/ru/post/105441/

All Articles