Thanks Gilles,
Indeed the CSS doesn't block anything (I wish it would have been more explicit in the documents, except writing that the dos feature cannot be disabled).
However It was a problem that caused by the CSS and I write this here just in case someone else will encounter the same.
I use CSS for many years now, but this is the first time that i used it on a very connection intensive application and in such an envirounment, and this is why the issue became a visible problem.
CSS and ASA was connected on the same network, with the CSS interface configured as a default gateway on the hosts.
However the CSS sends ICMP redirects packets to the hosts injecting a "better" route to different external IP addresses using the ASA interface IP address. That cause connections from different IP addresses to be blocked for a period of 10 minutes (default time that an ICMP redirect injected route will stay in the routing table of windows server2003) because the routing table on the host has a "better" route which is not the CSS's interface.
Together with the fact that I was using sticky session content rule based on sticky-srcip, that caused an outage for 10 minutes for different IP addresses on a regular basis.
I have sorted it out by disabling icmp Redirect on the windows hosts registry:
"\\HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\"
change EnableICMPRedirect to "0" by default its "1"
reboot the hosts, and you will see an immediate drop in syn attack indications on the CSS, hinting that the problem has been solved.
I read somewhere that there's an option to disable ICMP redirect packets from the CSS as well, but the other trick did that for me.
Thanks again gilles for your enlightment
Regards,
Lior
