Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1986
Views
0
Helpful
4
Replies

ASA half form connections concept

Go to solution
mahesh18
Level 6
Level 6

‎07-21-2013 08:01 AM - edited ‎03-11-2019 07:15 PM

Hi Everyone,

Need to confirm some ASA  concepts below

1>For ASA  half form connections the 3 way tcp handshake is never completed and it can cause TCP  SYN  flood attack right?

2>To control the limit of half form commection in ASA  we can put config below in policy map

set connection conn-max 500 embryonic-conn-max 50

Here 50 is limit for half form connections in ASA  right?

Regards

MAhesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Andrew Phirsov
Level 7
Level 7

‎07-21-2013 08:46 AM

Hi.

1. Yep, half-open TCP connection is when initiator sends TCP SYN, responder answers with SYN-ACK and waits wor the final ACK, but that ACK never arrives. TCP SYN flood attack is when attacker floods server with TCP SYN packets, causing denial of service.

2. Regarding your example, yes, 50 is the limit. Untill that limit ASA just keeps those half-open connections in the state table. But, as soon as the number of half open connections grows ower that number (50 in this case) ASA starts working in the TCP-intercept mode, wich means that it acts as a proxy for the server and  generates a SYN-ACK response to the initiator SYN request. When the ASA  receives an ACK back from the client, it will allow the connection to the server. So the server itself will newer run out of space in it's input SYN-queue.

View solution in original post

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to mahesh18

‎07-23-2013 03:24 AM

TCP synflood itself is a bunch of half open connections.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Andrew Phirsov
Level 7
Level 7

‎07-21-2013 08:46 AM

Hi.

1. Yep, half-open TCP connection is when initiator sends TCP SYN, responder answers with SYN-ACK and waits wor the final ACK, but that ACK never arrives. TCP SYN flood attack is when attacker floods server with TCP SYN packets, causing denial of service.

2. Regarding your example, yes, 50 is the limit. Untill that limit ASA just keeps those half-open connections in the state table. But, as soon as the number of half open connections grows ower that number (50 in this case) ASA starts working in the TCP-intercept mode, wich means that it acts as a proxy for the server and  generates a SYN-ACK response to the initiator SYN request. When the ASA  receives an ACK back from the client, it will allow the connection to the server. So the server itself will newer run out of space in it's input SYN-queue.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Andrew Phirsov

‎07-21-2013 08:56 AM

Hi Andrew,

You explained very well on last thing on this can half form connections cause the TCP Syn flood attack?

Regards

MAhesh

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to mahesh18

‎07-23-2013 03:24 AM

TCP synflood itself is a bunch of half open connections.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Andrew Phirsov

‎07-23-2013 07:24 AM

Hi Andrew,

Manu thanks for answering learned something new today.

Best regards

Mahesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card