L4 Exotic combos

Exotic TCP flag preset library

Engarde includes 30+ predefined multi-flag TCP floods (URG combinations, ACK-SYN, PSH-RST-FIN, etc.) — all invalid_flag presets from the attack library.

How it works

ACK-PSH (AP), URG, ACK-SYN (AS), PSH-SYN (PS), PSH-RST (PR), PSH-RST-FIN (PRF).
PSH-SYN-FIN (PSF), URG-PSH (UP), URG-ACK (UA), URG-RST (UR), URG-RST-FIN (URF).
URG-SYN (US), URG-SYN-FIN (USF), RST-SYN (RS), ACK-RST (AR), ACK-PSH-FIN (APF).
ACK-PSH-RST-FIN (APRF), ACK-RST-FIN (ARF), ACK-PSH-RST-SYN-FIN (APRSF), ACK-PSH-RST-SYN (APRS).
ACK-RST-SYN (ARS), ACK-PSH-SYN-FIN (APSF), ACK-RST-SYN-FIN (ARSF), URG-ACK-RST-SYN (UARS).
URG-ACK-PSH-SYN (UAPS), URG-ACK-PSH-RST-SYN (UAPRS), URG-ACK-PSH-RST-SYN-FIN (UAPRSF).
URG-PSH-RST-SYN (UPRS), URG-PSH-RST-SYN-FIN (UPRSF), URG-ACK-SYN-FIN (UASF), URG-ACK-PSH-FIN (UAPF).
URG-ACK-RST (UAR), RST-SYN-FIN (RSF), PSH-RST-SYN (PRS) — each available as a named Engarde preset.

Packet flow (illustrative)

Multi-flag TCP segments — preset name maps to flag string in Engarde UI.

Engarde node Target

→PSH + ACKseq/ack set

→PSH-ACK segment× N

Illustrative flow — not a live capture.

Preset count 30+ combos

Engarde Predefined attacks list

Typical use IPS regression

What to watch in Engarde

Which presets generate alerts vs. silent drops on your IPS.
Batch testing: group URG-heavy presets vs. SYN-heavy combos in separate reports.
Firmware upgrade regression — re-run favorite exotic presets quarterly.

Running this simulation

Open predefined attacks in Engarde DDoS and filter TCP invalid_flag presets. Deep dives: ACK-SYN, URG, APRSF, UAPRSF, RST-SYN articles. Schedule a matrix test across your top five exotic combos before major firewall upgrades.

Mitigation perspective

Maintain an allow/deny matrix for exotic flags; Engarde simulation proves the matrix matches reality.