from what I read in the IOS Security Configuration Guide, I understand the general concept of TCP interception, however I still don't get the complete picture:
Assume a machine being under DDoS Attack by SYN-Flooding, so TCP Intercept starts to answer to the spoofed SYN-requests. Since this uses cpu and memory on the firewall, the DDoS is now against the firewall instead of the server.
The CG states that there is a limit of 1100 connections, after that the oldest embryonic connection gets dropped (which is tunable, both number and mode).
Doesn't this mean that a proper TCP-SYN-request (which is still embryonic) may be dropped due to a large number of bogus SYN-requests ? Even when drop mode is set to random ?
1100 embryonic connections (default value) seems to be a number of embryonic connections that can be reached under real-life conditions - or am I wrong here ?