Cisco ASA 5505 Configuration Manual page 1048

Information About Connection Settings
TCP Intercept and Limiting Embryonic Connections
Limiting the number of embryonic connections protects you from a DoS attack. The adaptive security
appliance uses the per-client limits and the embryonic connection limit to trigger TCP Intercept, which
protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets.
An embryonic connection is a connection request that has not finished the necessary handshake between
source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding
attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP
addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from
servicing connection requests. When the embryonic connection threshold of a connection is crossed, the
adaptive security appliance acts as a proxy for the server and generates a SYN-ACK response to the
client SYN request. When the adaptive security appliance receives an ACK back from the client, it can
then authenticate the client and allow the connection to the server.
To view TCP Intercept statistics, including the top 10 servers under attack, see
Threat Detection."
Disabling TCP Intercept for Management Packets for Clientless SSL
Compatibility
By default, TCP management connections have TCP Intercept always enabled. When TCP Intercept is
enabled, it intercepts the 3-way TCP connection establishment handshake packets and thus deprives the
adaptive security appliance from processing the packets for clientless SSL. Clientless SSL requires the
ability to process the 3-way handshake packets to provide selective ACK and other TCP options for
clientless SSL connections. To disable TCP Intercept for management traffic, you can set the embryonic
connection limit; only after the embryonic connection limit is reached is TCP Intercept enabled.
Dead Connection Detection (DCD)
DCD detects a dead connection and allows it to expire, without expiring connections that can still handle
traffic. You configure DCD when you want idle, but valid connections to persist.
When you enable DCD, idle timeout behavior changes. With idle timeout, DCD probes are sent to each
of the two end-hosts to determine the validity of the connection. If an end-host fails to respond after
probes are sent at the configured intervals, the connection is freed, and reset values, if configured, are
sent to each of the end-hosts. If both end-hosts respond that the connection is valid, the activity timeout
is updated to the current time and the idle timeout is rescheduled accordingly.
Enabling DCD changes the behavior of idle-timeout handling in the TCP normalizer. DCD probing
resets the idle timeout on the connections seen in the show conn command. To determine when a
connection that has exceeded the configured timeout value in the timeout command but is kept alive due
to DCD probing, the show service-policy command includes counters to show the amount of activity
from DCD.
TCP Sequence Randomization
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
adaptive security appliance randomizes the ISN of the TCP SYN passing in both the inbound and
outbound directions.
Cisco ASA 5500 Series Configuration Guide using ASDM
48-2
Chapter 48 Configuring Connection Settings
Chapter 51, "Configuring
OL-20339-01