Have you ever thought about killing a particular TCP connection or just
shaping that traffic down to acceptable levels?

dsniff is a little collection of tools that were build for security
analysis. They include two tools that I'm interested in: tcpnice and tcpkill.

tcpkill is the easier tool to comprehend. It takes the following form:

  tcpkill -9 port 22

The -9 part is a severity specifier, the port 22 part is a tcpdump
filter argument. Internally tcpkill uses libpcap to open a raw socket,
listening to anything that passes the filter (i.e. port 22). For
every TCP packet received, it constructs a corresponding RST packet
and injects it over a raw socket into the host. Increasing the
severity means doing this process multiple times. It's a simple way to
kill just the right connections.

tcpnice is a little different. It takes the following form:

  tcpnice [-I] -n X port 80

Again the port 80 is a tcpdump filter argument. The X is a nice
value from 1 to 20, where larger values indicate a slower connection.
Again this works by opening a pcap session and then injecting packets
over a raw socket. But this time we inject a TCP segment with a new
TCP window size
The -I option additionally injects a [ICMP source quench](<https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Source_quench) packet into the raw socket to further quench the resource hunger of your connections.

This works for well behaved programs, but if your target uses raw
sockets to implement some kind of attack this is not going to work.

tcpnice & tcpkill

Follow me on Mastodon!