I'm about to configure maximum and per-client embrionic connections to guard against a syn-flood attack.

My question is, are there any normal circumstances which create embrionic connections or are they always a result of malicious activity?

I'm trying to set levels for this and am unsure whether to allow very few or quite a lot. I noticed in the CBT nugget video KB allowed only 5. Just wondered if anyone out there had previously configured this and what they set the limits at?