Need to confirm some ASA concepts below
1>For ASA half form connections the 3 way tcp handshake is never completed and it can cause TCP SYN flood attack right?
2>To control the limit of half form commection in ASA we can put config below in policy map
set connection conn-max 500 embryonic-conn-max 50
Here 50 is limit for half form connections in ASA right?
TCP synflood itself is a bunch of half open connections.
1. Yep, half-open TCP connection is when initiator sends TCP SYN, responder answers with SYN-ACK and waits wor the final ACK, but that ACK never arrives. TCP SYN flood attack is when attacker floods server with TCP SYN packets, causing denial of service.
2. Regarding your example, yes, 50 is the limit. Untill that limit ASA just keeps those half-open connections in the state table. But, as soon as the number of half open connections grows ower that number (50 in this case) ASA starts working in the TCP-intercept mode, wich means that it acts as a proxy for the server and generates a SYN-ACK response to the initiator SYN request. When the ASA receives an ACK back from the client, it will allow the connection to the server. So the server itself will newer run out of space in it's input SYN-queue.