In Cisco ASA firewall how to check if it’s under the TCP Syn Flood attack? If it’s under attack what are the counter measures?

In Cisco ASA by running ‘sh connection count’ we can check the number of open connections. By default value for half open connection is 100000 .

ciscoasa# show conn count
1931 in use, 3139 most used

We can configure the ASA to lower that value by creating class map to select the traffic

class-map SYN_Flood_Attack
match any

then call that class-map in the global policy .For allowing the maximum half open connection set the values for the ’embryonic-conn-max’ parameter and for the setting half open connection limit for per host set the ‘per-client-embryonic-max’ parameter.

policy-map global_policy
class SYN_Flood_Attack
set connection embryonic-conn-max 1100 per-client-embryonic-max 40