TCP URG flood
Urgent pointer flag floods and URG-heavy combo presets. Legacy stacks and deep inspection engines may handle URG differently than modern Linux.
How it works
- Standalone preset: URG Flood (flag URG, invalid_flag true).
- Many combos in the library start with URG (UA, US, UARS, UAPRSF, etc.).
- Tests urgent-pointer parsing paths rarely exercised by production traffic.
Packet flow (illustrative)
Engarde node Target
→PSH + ACKseq/ack set
→PSH-ACK segment× N
Illustrative flow — not a live capture.
Base preset URG Flood
Related UA, US, UAPRSF…
Layer L4
What to watch in Engarde
- Out-of-band handling differences across OS versions.
- IPS CPU when URG combos match legacy rules.
Running this simulation
Start with URG Flood preset, then spot-check one URG combo (e.g. URG-ACK Flood) from the catalog.
Mitigation perspective
Modern best practice is often to strip or drop URG; confirm with simulation on your appliance OS.