TCP Xmas flood
Classic Xmas scan style: FIN, PSH, and URG flags set together (FPU). Probes how filters classify “lit up” Christmas tree packets at high PPS.
How it works
- Engarde Xmas Flood preset uses TCP flag FPU with invalid_flag=true.
- Historically used in port scanning; at flood rates it stresses parse and classify logic.
- Distinct from ALL TCP Flags (FPU without invalid_flag) — compare both presets.
- Often dropped by modern stacks; simulation confirms your path behavior.
Packet flow (illustrative)
Engarde node Target
→FIN+
→PSH+
→URGFPU
Xmas tree packet × N
Illustrative flow — not a live capture.
Flags F + P + U (FPU)
Engarde Xmas Flood
invalid_flag true
What to watch in Engarde
- Drop vs. forward ratio on each hop.
- IDS rules referencing Xmas or FPU patterns.
Running this simulation
Run Xmas Flood preset on lab target; pair with ALL TCP Flags preset report for contrast.
Mitigation perspective
Explicit deny for Xmas/FPU combos on edge; document exceptions for legacy apps if any.