Invalid SYN flood
SYN packets with deliberately malformed TCP headers (invalid_flag preset). Tests whether edge devices drop anomalies or spend CPU on deep inspection.
How it works
- Same SYN flag as a normal flood, but header fields/checksum violate expectations.
- Some stacks drop silently; others forward to slow paths or mis-track state.
- Engarde preset: Invalid SYN Flood (TCP / S, invalid_flag=true).
- Compare with standard SYN flood on the same port to see different mitigation triggers.
Packet flow (illustrative)
Engarde node Target
→TCP flags: F+P+UXmas
→ALL flags setnon-RFC
Parser / IPS path stress
Illustrative flow — not a live capture.
Engarde preset Invalid SYN Flood
Flag S + invalid_flag
Layer L4 parse
What to watch in Engarde
- Drop counters vs. SYN cookie activation compared to valid SYN test.
- Firewall logs for malformed TCP or checksum errors.
- Half-open table growth if packets are accepted.
Running this simulation
Select Invalid SYN Flood from predefined attacks in Engarde DDoS. Run short burst against staging firewall VIP before production windows.
Mitigation perspective
Default-drop malformed TCP at perimeter; validate scrubbing provider handles invalid_flag traffic like your policy expects.