TCP ACK-SYN flood
ACK and SYN flags together (AS preset, invalid_flag). Probes state machines that expect SYN-only during handshake initiation.
How it works
- Engarde preset: ACK-SYN Flood — flag AS, invalid_flag true.
- Not a normal handshake segment; parsers must classify before allocating state.
- Deep-dive companion to the exotic preset catalog article.
Packet flow (illustrative)
Engarde node Target
→PSH + ACKseq/ack set
→PSH-ACK segment× N
Illustrative flow — not a live capture.
Flag AS
Engarde ACK-SYN Flood
invalid_flag true
What to watch in Engarde
- Half-open table anomalies vs. pure SYN test.
- IPS signatures referencing AS combos.
Running this simulation
Run ACK-SYN preset from predefined attacks; compare with SYN and Invalid SYN reports.
Mitigation perspective
Drop non-RFC handshake segments at edge; log AS-pattern hits for tuning.