How to Forcefully Terminate Established HTTPS Connections Using tcpkill in Linux


12 views

The tcpkill utility from the dsniff package works differently than many administrators expect. Unlike kill or killall, it doesn't immediately terminate connections. Instead, it:

  1. Sniffs the network interface for matching traffic
  2. Injects TCP RST (reset) packets when it detects activity

# Basic syntax that often confuses users
tcpkill -i eth1 port 443

For established HTTPS connections, there are several technical reasons why tcpkill might appear to hang:

  • Encrypted traffic: The tool can't inspect encrypted payloads to identify the connection
  • Idle connections: tcpkill needs to see packets to inject RSTs
  • NAT/firewall interference: Middleboxes might block the injected packets

Method 1: Generate Traffic

Force the client or server to send packets:


# In one terminal:
tcpkill -i eth1 -9 port 443

# In another terminal, generate traffic:
curl -I https://target-domain.com

Method 2: Use Alternative Tools

When tcpkill isn't sufficient:


# Using ss/iproute2 to kill by socket inode
ss -tpan | grep 443
sudo ss -K dst target.ip dport = 443

# Using conntrack for NAT environments
sudo conntrack -D -p tcp --dport 443

For complex scenarios:


# Kill all connections from specific IP
tcpkill -i eth1 host 192.168.1.100 and port 443

# Persistent monitoring (will kill new connections)
tcpkill -i eth1 -9 port 443 &

# Verbose mode for debugging
tcpkill -v -i eth1 port 443
  • Verify interface name with ip link show
  • Check for conflicting firewall rules
  • Test with unencrypted HTTP first
  • Consider TTL values when dealing with hops

The tcpkill utility from the dsniff package works differently than many administrators expect. It doesn't actively send termination packets like RST, but instead:

1. Captures existing TCP traffic on the specified interface
2. Forwards the traffic while incrementing sequence numbers
3. Causes the connection to break when sequence numbers become invalid

When you run:

tcpkill -i eth1 -9 port 443

The tool waits for actual traffic on port 443 before it can interfere with the connection. If the HTTPS connection is idle (like in your case showing 0 bytes in netstat), tcpkill has nothing to work with.

Method 1: Generate Traffic on Target Port

Force some traffic through the connection:

# In one terminal:
tcpkill -i eth1 -9 port 443

# In another terminal:
curl https://target-domain.com > /dev/null

Method 2: Alternative Tools

When tcpkill isn't suitable, consider these alternatives:

# Using ss (socket statistics) to find connection
ss -ntp | grep ':443'

# Killing via procfs (requires root)
echo 1 > /proc/sys/net/ipv4/tcp_rst_on_timeout

# Using iptables to drop packets
iptables -A OUTPUT -p tcp --dport 443 -j REJECT

If tcpkill still doesn't work:

  • Verify interface name with ip link
  • Check for encryption bypassing tcpkill
  • Try lower severity levels (-1 to -9)
  • Confirm you have root privileges

For production environments, consider automating the process:

#!/bin/bash
while true; do
    tcpkill -i eth1 -9 port 443
    sleep 5
done

This script continuously monitors and kills any new 443 connections, useful for security testing scenarios.