1. TCP flag

Before we talk about the TCP three-way handshake and four-way wave, let’s talk about the TCP flag bits for the convenience of subsequent understanding.

Simply put, the value of the TCP flag bit represents the purpose of the current request.

There are 6 kinds of flag bits, which are as follows:

  1. SYN(synchronous) : Send/synchronize flag, used to establish a connection, in conjunction with the second flag bit ACK below. When the connection starts, SYN=1, ACK=0, indicating that the connection is started but no response is received. When the connection is responded to, the flag bit changes. ACK is set to 1, indicating that the connection request has been received. In this case, the flag bit changes to SYN=1, ACK=1.
  2. ACK(Acknowledgement) : Acknowledgement of receipt of the request.
  3. PSH(push) : indicates the push operation. After the data packet reaches the receiving end, it is not queued but transferred to the application program for processing as much as possible.
  4. FIN(Finish) : indicates the end flag to end a TCP session.
  5. RST(reset) : indicates the reset flag, which is used to reset the TCP connection.
  6. URG(Urgent) : indicates the urgent flag, which ensures that TCP connections are not interrupted and urges devices at the middle layer to process the TCP connection as soon as possible.

In addition, there are two serial numbers:

  1. Sequence number: Sequence number. The Sequence number of the first byte in the sent packet is usually lowercase SEQ.
  2. Acknowledge number (seq+1) Acknowledge number (seq+1)

TCP three-way handshake

1. Overview of the TCP three-way handshake

Three-way Handshake A TCP connection is established with Three packets sent by the client and server. The purpose of the three-way handshake is to connect to a specified port on the server, establish a TCP connection, synchronize the serial number and confirmation number of the two connected parties, and exchange TCP information

2. Figure out the TCP three-way handshake


  • First handshake: The Client sends packets with bit code SYN=1 and randomly generates seQ = X packets to the Server. The Server is known by SYN=1 and the Client requires to establish an online connection.
  • Second handshake: After receiving the connection request, the Server confirms the connection information and sends ACK= (SEQ when the Client requests a connection)+1, SYN=1, ACK=1 to the Client. The packet seq= Y is generated, indicating that the Server receives the connection request and confirms the connection to the Client again.
  • Third handshake: After receiving the handshake, the Client checks whether the ACK (SEQ +1) sent for the first time and the ACK (bit code) is 1, indicating that the Client receives the confirmation message from the server. The Client sends ack=(SEQ +1 of the Server), ACK=1 to the Server. After receiving the ack value, the Server confirms that the connection is established.

3. TCP connection security: SYN attack

  • Harm: A SYN attack is a DOS attack. It uses TCP defects to send a large number of half-connection requests, consuming CPU and memory resources. SYN attacks not only affect hosts, but also network systems such as routers and firewalls. In fact, SYN attacks can be carried out regardless of the target system, as long as the TCP service is enabled on the system.
  • How it works: In the three-way handshake, after the server sends a SYN-ACK (acknowledgement of the connection requested by the client), the TCP connection before receiving the ACK (third packet) from the client is called a half-open connect. At this point, the server is in the SYN_RECV state (waiting for the response from the client). If the server receives the ACK from the client, the TCP connection succeeds. If it does not, the server resends the request until it succeeds. The SYN attack is to attack the client Forge a lot in a short time there is no IP address, sends a SYN packet to the server constantly responded server packages, and wait for the customer to confirm, because the source address is not exist, the server needs to continually resend straight to the timeout, the forgery of the SYN packet will occupy not connected queue for a long time, Normal SYN is affected, and the target system runs slowly, or even the system breaks down.
  • SYN attack detection: It is very convenient to detect SYN attacks. If you see a large number of semi-connected states on the server, especially if the source IP address is random, you can basically determine that this is a SYN attack.
  • Defense: Filtering gateways, such as firewalls and routers, and TCP/IP stack hardening. However, it is important to note that SYN attacks cannot be completely prevented. What we are trying to do is to minimize the damage caused by SYN attacks unless TCP is redesigned.

Filtering gateway protection:

  1. Gateway Timeout Setting
  2. The SYN gateway
  3. The SYN agent

Hardening TCP/IP stack:

  1. SynAttackProtect mechanism
  2. The SYN cookies technology
  3. Increase the maximum number of connections
  4. Shorten timeout

TCP wave four times


  1. Client The Client process sends a connection release packet and stops sending data. FIN=1 and seq=m (equal to the sequence number of the last byte of the transmitted data plus 1). In this case, the Client enters the fin-WaIT-1 state. According to TCP, FIN packets consume a sequence number even if they do not carry data.
  2. After receiving the connection release packet, the Server sends an acknowledgement packet with ACK=1, ACK= m+1 and its sequence number seq=n. Then, the Server enters the close-wait state. The TCP Server notifies the upper-level application process that the Client is released from the direction of the Server and is in the semi-closed state. That is, the Client has no data to send. However, if the Server sends data, the Client still receives it. This state also lasts for a period of time, i.e. the duration of the close-wait state.
  3. After receiving the confirmation message from the Server, the Client enters the FIN-WaIT-2 state and waits for the Server to send a connection release packet (before receiving the final data from the Server).
  4. After sending the final data, the Server sends a connection release packet to the client with FIN=1 and ACK = M +1. Because the Server is in the semi-closed state, it is likely to send some data. Assume that the sequence number is SEq = P. The Server enters the last-ACK state and waits for the confirmation from the Client.
  5. After receiving the connection release packet from the Server, the Client sends ACK=1, ACK= P +1 and its sequence number is SEq = M +1. In this case, the Client enters the time-wait state. Note That the TCP connection is not released, and the Client enters the CLOSED state only after the TCB (protection program) is revoked after 2*MSL (maximum packet segment life).
  6. Server The Server enters the CLOSED state immediately after receiving the confirmation sent by the Client. Similarly, revoking the TCB terminates the TCP connection. As you can see, the Server ends the TCP connection earlier than the Client.

Four, often meet test questions

1. Why is there a three-way handshake when connecting, but a four-way handshake when closing?

A: When the client initiates a request to close the connection, the sent FIN only means that the client has no data to send to the server. If the server still has data to send to the client, the ACK and FIN response packets cannot be sent to the client at the same time. In this case, the server sends a response packet to indicate that it has received the FIN request from the client. After data transmission, the server sends a FIN request to indicate that the server is ready to disconnect. So it’s four handshakes when you close the connection.

2. Why does the state of TIME_WAIT need to go back to CLOSE after 2MSL?

A: According to the previous information, when all four packets are sent, it is theoretically finished. Often less reliable, but the actual situation such as the last lost a message is issued, then the server will not receive this message, every once in a while, the server will send a FIN message again, this time if the client has been disconnected, so will not be able to respond to the server’s second request, so that the server will continue to send FIN message, It becomes an endless loop. Therefore, you need to set a period of time. If a request from the server is received again within this period, the ACK packet sent by the client is not received successfully. Otherwise, the server successfully receives the response packet, the client enters the CLOSED state, and the connection is CLOSED. The time is set to 2MSL. That is, the maximum time for the client to send an ACK packet to the server + the maximum time for the server to send an ACK packet again after the server receives no ACK packet = 2MSL

3. Why can’t you connect with two handshakes?

A: The three-way handshake has two important functions. One is that the two parties are ready to send the data and both parties know that they are ready, and the other allows the two parties to negotiate the initial sequence number, which is sent and confirmed during the handshake. If you change to two handshakes, deadlock is possible. Under the two set of shaking hands, the server side in a successful accept the client’s connection request after the SYN, to determine the client sends an ACK packet, if the client is not received because the network reasons, will have been waiting for an ACK message on the server, the server end that connect successfully established, began to send data to the client. However, if the client does not receive an ACK packet from the server and does not know the sequence number of the server seQ, the connection is considered unsuccessful and any data sent by the server is ignored. In this case, the client waits for ACK packets from the server, and the server repeatedly sends data because the client does not receive any data, resulting in a deadlock.

4. What if the client suddenly fails after the connection is established?

A: TCP also has a keepalive timer, so obviously if the client fails, the server can’t wait forever and waste resources. The server resets this timer every time it receives a request from the client, usually for two hours. If it does not receive any data from the client within two hours, the server sends a probe segment, which is then sent every 75 seconds. If there is no response after 10 probe packets are sent, the server assumes that the client is faulty and closes the connection.

Hello! I am JHCan333, official account:Love the front dog of lifeThe author. Public account focusFront End engineerDirection, including but not limited toTechnical improvement, career planning, quality of life, personal financeWill continue to publish quality articles from all aspectsascensionFront-end developedhappiness. Pay attention to the public number, we go forward together!