Approaches for preventing TCP data injection attacks in packet-switched networks are disclosed. An ACK message or dummy segment is sent to verify the authenticity of the data in the re-assembly buffer, and to help discard spurious data faster. These approaches involve the sender in detection of spurious data, and make improved use of mechanisms for processing ACK messages that are native to typical TCP implementations. The latter approach may be implemented without modification of the sender's TCP implementation. Further, the receiver's TCP implementation maintains compatibility with RFC 793.