TCP-Flag-Combinations/TCP Flag Combinations.md

| Flag Combination | Flags Set (Hex) | Purpose | IP+TCP Payload Size | Ethernet Frame Size | XDP Filtering Logic |
|------------------|-----------------|---------|---------------------|---------------------|---------------------|
| SYN | 0x02 | Initiates connection | 40–59 bytes | 64–77 bytes | Rate limit SYN packets per source IP to prevent floods. Drop if rate exceeds threshold. |
| SYN-ACK | 0x12 | Acknowledges SYN | 40–59 bytes | 64–77 bytes | Validate against recent SYN requests using eBPF maps. Drop if no matching SYN. |
| ACK | 0x10 | Acknowledges data | 40 bytes | 64 bytes | Allow for established connections. Rate limit to prevent ACK floods. |
| PSH-ACK | 0x18 | Pushes data | 40–1500 bytes | 64–1518 bytes | Allow for data transfer. Rate limit large packets to prevent floods. |
| FIN-ACK | 0x11 | Closes connection | 40 bytes | 64 bytes | Allow for connection closure. Drop if part of a FIN scan (no prior SYN). |
| RST | 0x04 | Resets connection | 40 bytes | 64 bytes | Allow for error handling. Drop if part of a reset attack (high rate from single IP). |
| NULL | 0x00 | Invalid (no flags) | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. |
| XMAS | 0x29 (FIN+PSH+URG) | Probing attack | 40 bytes | 64 bytes | Drop immediately as invalid/malicious. |
| SYN-FIN | 0x03 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. |
| URG-ACK | 0x30 | Urgent data (rare) | 40 bytes | 64 bytes | Allow if rare, but monitor for anomalies. |
| ACK-PSH-URG | 0x38 | Data with urgent flag | 40–1500 bytes | 64–1518 bytes | Allow for specific use cases, but rate limit to prevent abuse. |
| SYN-RST | 0x06 | Invalid combination | 40 bytes | 64 bytes | Drop immediately as invalid. |