More of a denial of service attack, but with the current discussion on bugtraq/firewalls regarding sequence number guessing, I thought I'd put forward a method on killing an established TCP connection, besides the (mis)usage of ICMP unreachable messages. It would also appear, that although this attack is more difficult to launch, it would also be more difficult to prevent. Since it's possible to guess sequence numbers of the packets in a TCP connection, it seems it would be possible to then send a fake FIN message to our target, followed directly by an ACK to acknowledge the closing of the connection. If you wanted to kill a connection, all you would have to do is flood one of the ends with FIN/ACK packets until you get the sequence numbers correct. - Oliver