How to Forcefully Terminate Established HTTPS Connections Using tcpkill in Linux


2 views

The tcpkill utility from the dsniff package works differently than many administrators expect. Unlike kill or killall, it doesn't immediately terminate connections. Instead, it:

  1. Sniffs the network interface for matching traffic
  2. Injects TCP RST (reset) packets when it detects activity

# Basic syntax that often confuses users
tcpkill -i eth1 port 443

For established HTTPS connections, there are several technical reasons why tcpkill might appear to hang:

  • Encrypted traffic: The tool can't inspect encrypted payloads to identify the connection
  • Idle connections: tcpkill needs to see packets to inject RSTs
  • NAT/firewall interference: Middleboxes might block the injected packets

Method 1: Generate Traffic

Force the client or server to send packets:


# In one terminal:
tcpkill -i eth1 -9 port 443

# In another terminal, generate traffic:
curl -I https://target-domain.com

Method 2: Use Alternative Tools

When tcpkill isn't sufficient:


# Using ss/iproute2 to kill by socket inode
ss -tpan | grep 443
sudo ss -K dst target.ip dport = 443

# Using conntrack for NAT environments
sudo conntrack -D -p tcp --dport 443

For complex scenarios:


# Kill all connections from specific IP
tcpkill -i eth1 host 192.168.1.100 and port 443

# Persistent monitoring (will kill new connections)
tcpkill -i eth1 -9 port 443 &

# Verbose mode for debugging
tcpkill -v -i eth1 port 443
  • Verify interface name with ip link show
  • Check for conflicting firewall rules
  • Test with unencrypted HTTP first
  • Consider TTL values when dealing with hops

The tcpkill utility from the dsniff package works differently than many administrators expect. It doesn't actively send termination packets like RST, but instead:

1. Captures existing TCP traffic on the specified interface
2. Forwards the traffic while incrementing sequence numbers
3. Causes the connection to break when sequence numbers become invalid

When you run:

tcpkill -i eth1 -9 port 443

The tool waits for actual traffic on port 443 before it can interfere with the connection. If the HTTPS connection is idle (like in your case showing 0 bytes in netstat), tcpkill has nothing to work with.

Method 1: Generate Traffic on Target Port

Force some traffic through the connection:

# In one terminal:
tcpkill -i eth1 -9 port 443

# In another terminal:
curl https://target-domain.com > /dev/null

Method 2: Alternative Tools

When tcpkill isn't suitable, consider these alternatives:

# Using ss (socket statistics) to find connection
ss -ntp | grep ':443'

# Killing via procfs (requires root)
echo 1 > /proc/sys/net/ipv4/tcp_rst_on_timeout

# Using iptables to drop packets
iptables -A OUTPUT -p tcp --dport 443 -j REJECT

If tcpkill still doesn't work:

  • Verify interface name with ip link
  • Check for encryption bypassing tcpkill
  • Try lower severity levels (-1 to -9)
  • Confirm you have root privileges

For production environments, consider automating the process:

#!/bin/bash
while true; do
    tcpkill -i eth1 -9 port 443
    sleep 5
done

This script continuously monitors and kills any new 443 connections, useful for security testing scenarios.