Bad Packets

The INVALID state means that the packet can’t be identified or that it does not have any state. This may be due to several reasons, the most common non-malicious causes are clients generating out of sequence packets, a buggy network stack on the client, a poorly implemented network stack on the client.

Rarely, this can also occur if the system running out of memory or ICMP error messages that do not respond to any known connections. Generally, it is a good idea to DROP everything in this state.

Malicious causes of INVALID packets includes packets with invalid TCP flags, headers or checksums, out of sequence packets which can be caused by sequence prediction or other similar attacks, invalid ICMP messages generated by other types of network attacks (Example: recieving a port unreachable ICMP message from a host that the system is not expecting any traffic from).

By default AP will drop these packets, both blocking non-malicious packets which helps to prevent false positives for poorly implemented operating systems, as well as dropping network based attacks that may use these methods as well.