TCP RST-SYN flood
RST and SYN together (RS preset) — contradictory signals that confuse session tracking and teardown logic.
How it works
- Engarde preset: RST-SYN Flood — flag RS, invalid_flag true.
- Useful for testing state cleanup when contradictory flags arrive at high PPS.
- Related presets: RSF (RST-SYN-FIN), ARS (ACK-RST-SYN).
Packet flow (illustrative)
Engarde node Target
→PSH + ACKseq/ack set
→PSH-ACK segment× N
Illustrative flow — not a live capture.
Flag RS
Engarde RST-SYN Flood
Layer L4 state
What to watch in Engarde
- Session table churn rate.
- Legitimate SYN drops during RS flood if state is polluted.
Running this simulation
RS preset on firewall lab; compare recovery time after End test with SYN-only baseline.
Mitigation perspective
Stateful devices should drop RS combos early; verify with Engarde report timestamps.