Actively terminates matching TCP connections by sending TCP RST responses. Unlike "Block Traffic", which silently drops packets causing timeouts, this attack causes immediate connection errors on the client side.
Details
Note: If you are going to attack containers using network attacks, all containers in the target's linux network namespace (e.g. all containers belonging to the same Kubernetes Pod) will be affected. In case you want to target the traffic of a single container in the namespace you can for example use the port parameter to limit the blast radius.
The attack uses iptables REJECT rules with --reject-with tcp-reset to send TCP RST packets for matching connections. This affects both incoming and outgoing TCP traffic. The iptables rules are appended to the container's network namespace filter chains. Each attack instance creates a unique iptables chain, allowing multiple concurrent attacks with different filters on the same target.
When an Istio sidecar is detected in the target's network namespace, the attack automatically uses a mark-based approach: matching packets are marked in the mangle table (before Istio's NAT rules rewrite the destination) and then rejected in the filter table based on the mark. This ensures the attack works correctly even when Istio redirects traffic through its Envoy proxy.
Only TCP traffic is affected. UDP and other protocols are not impacted by this attack.
Use Cases
Simulate abrupt connection resets from upstream or downstream services
Test client-side retry and reconnection logic under immediate connection failures
Verify circuit breaker behavior when connections are actively refused rather than timing out
Simulate firewall or load balancer dropping connections with RST
Parameters
Parameter
Description
Default
Fail on Host Network
Emit failure when the targeted container is using the host network
true
Duration
How long should TCP connections be reset?
30s
Hostname
Restrict to/from which hosts the traffic is affected
IP Address
Restrict to/from which IP addresses the traffic is affected
Ports
Restrict to/from which ports the traffic is affected
Network Interface
Target network interface to affect. All non-loopback if none specified
Attack
Go back to list
