Malformed & exotic TCP flag floods
Invalid or rare TCP flag combinations (Xmas, ALL flags, URG-ACK-RST-SYN-FIN, etc.) probe how filters handle non-RFC-compliant packets.
How it works
- Packets set unusual flag combinations not seen in normal traffic.
- Some devices drop silently; others process expensively or mis-classify.
- Engarde includes many predefined invalid-flag presets from the attack library.
- Helps find IPS/FW gaps that volumetric tests miss.
Packet flow (illustrative)
Engarde node Target
→TCP flags: F+P+UXmas
→ALL flags setnon-RFC
Parser / IPS path stress
Illustrative flow — not a live capture.
Examples Xmas, ALL, URG combos
Engarde invalid_flag presets
Layer L4 parse path
What to watch in Engarde
- Drop vs. forward behavior on each protection layer.
- Logs for malformed TCP counters increasing.
Running this simulation
Choose invalid-flag TCP presets in Engarde (e.g. Xmas, ALL TCP Flags). Run on lab/staging targets first.
Mitigation perspective
Default-drop malformed TCP at edge; align scrubbing provider rules with your policy.