07-21-2013 08:01 AM - edited 03-11-2019 07:15 PM
Hi Everyone,
Need to confirm some ASA concepts below
1>For ASA half form connections the 3 way tcp handshake is never completed and it can cause TCP SYN flood attack right?
2>To control the limit of half form commection in ASA we can put config below in policy map
set connection conn-max 500 embryonic-conn-max 50
Here 50 is limit for half form connections in ASA right?
Regards
MAhesh
Solved! Go to Solution.
07-21-2013 08:46 AM
Hi.
1. Yep, half-open TCP connection is when initiator sends TCP SYN, responder answers with SYN-ACK and waits wor the final ACK, but that ACK never arrives. TCP SYN flood attack is when attacker floods server with TCP SYN packets, causing denial of service.
2. Regarding your example, yes, 50 is the limit. Untill that limit ASA just keeps those half-open connections in the state table. But, as soon as the number of half open connections grows ower that number (50 in this case) ASA starts working in the TCP-intercept mode, wich means that it acts as a proxy for the server and generates a SYN-ACK response to the initiator SYN request. When the ASA receives an ACK back from the client, it will allow the connection to the server. So the server itself will newer run out of space in it's input SYN-queue.
07-23-2013 03:24 AM
TCP synflood itself is a bunch of half open connections.
07-21-2013 08:46 AM
Hi.
1. Yep, half-open TCP connection is when initiator sends TCP SYN, responder answers with SYN-ACK and waits wor the final ACK, but that ACK never arrives. TCP SYN flood attack is when attacker floods server with TCP SYN packets, causing denial of service.
2. Regarding your example, yes, 50 is the limit. Untill that limit ASA just keeps those half-open connections in the state table. But, as soon as the number of half open connections grows ower that number (50 in this case) ASA starts working in the TCP-intercept mode, wich means that it acts as a proxy for the server and generates a SYN-ACK response to the initiator SYN request. When the ASA receives an ACK back from the client, it will allow the connection to the server. So the server itself will newer run out of space in it's input SYN-queue.
07-21-2013 08:56 AM
Hi Andrew,
You explained very well on last thing on this can half form connections cause the TCP Syn flood attack?
Regards
MAhesh
07-23-2013 03:24 AM
TCP synflood itself is a bunch of half open connections.
07-23-2013 07:24 AM
Hi Andrew,
Manu thanks for answering learned something new today.
Best regards
Mahesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: