ASA half form connections concept

Answered Question
Jul 21st, 2013
User Badges:

Hi Everyone,



Need to confirm some ASA  concepts below


1>For ASA  half form connections the 3 way tcp handshake is never completed and it can cause TCP  SYN  flood attack right?


2>To control the limit of half form commection in ASA  we can put config below in policy map


set connection conn-max 500 embryonic-conn-max 50


Here 50 is limit for half form connections in ASA  right?




Regards


MAhesh

Correct Answer by Andrew Phirsov about 4 years 3 weeks ago

TCP synflood itself is a bunch of half open connections.

Correct Answer by Andrew Phirsov about 4 years 3 weeks ago

Hi.

1. Yep, half-open TCP connection is when initiator sends TCP SYN, responder answers with SYN-ACK and waits wor the final ACK, but that ACK never arrives. TCP SYN flood attack is when attacker floods server with TCP SYN packets, causing denial of service.

2. Regarding your example, yes, 50 is the limit. Untill that limit ASA just keeps those half-open connections in the state table. But, as soon as the number of half open connections grows ower that number (50 in this case) ASA starts working in the TCP-intercept mode, wich means that it acts as a proxy for the server and  generates a SYN-ACK response to the initiator SYN request. When the ASA  receives an ACK back from the client, it will allow the connection to the server. So the server itself will newer run out of space in it's input SYN-queue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Andrew Phirsov Sun, 07/21/2013 - 08:46
User Badges:
  • Silver, 250 points or more

Hi.

1. Yep, half-open TCP connection is when initiator sends TCP SYN, responder answers with SYN-ACK and waits wor the final ACK, but that ACK never arrives. TCP SYN flood attack is when attacker floods server with TCP SYN packets, causing denial of service.

2. Regarding your example, yes, 50 is the limit. Untill that limit ASA just keeps those half-open connections in the state table. But, as soon as the number of half open connections grows ower that number (50 in this case) ASA starts working in the TCP-intercept mode, wich means that it acts as a proxy for the server and  generates a SYN-ACK response to the initiator SYN request. When the ASA  receives an ACK back from the client, it will allow the connection to the server. So the server itself will newer run out of space in it's input SYN-queue.

mahesh18 Sun, 07/21/2013 - 08:56
User Badges:

Hi Andrew,


You explained very well on last thing on this can half form connections cause the TCP Syn flood attack?


Regards

MAhesh

Correct Answer
Andrew Phirsov Tue, 07/23/2013 - 03:24
User Badges:
  • Silver, 250 points or more

TCP synflood itself is a bunch of half open connections.

mahesh18 Tue, 07/23/2013 - 07:24
User Badges:

Hi Andrew,


Manu thanks for answering learned something new today.


Best regards

Mahesh

Actions

This Discussion