(If the author is reading this: bad formatting for fin: and acknumdiff: )<p>Once again a discussion that covers RST injection attacks fails to consider the one case I actually saw in the wild ...<p>My observation involved long-lived (much longer than typical for HTTP) TCP connections with low-but-nonzero traffic (there was an application-layer heartbeat). For at least some US residential IPs (some with effectively static allocation) connected to a datacenter, they would <i>reliably</i> get RST injected (to the client only, not the server) after being connected long enough (usually a couple hours, but not any obvious pattern).