Illustrated TCP three-way handshake: Step-by-step construction of a network session

In Internet communications, it is essential to ensure the reliability of data transmission. The TCP three-way handshake process is designed to solve this problem. Before establishing a connection, the client and server need to confirm each other's presence and readiness to prevent errors due to network latency or data loss. Through the three-way handshake, the two sides can not only synchronize the serial number, but also effectively establish a stable communication link, so as to ensure the smooth progress of subsequent data transmission.

Basic understanding of TCP

Let's explore the format of the TCP header. Among them, the color-coded parts are the fields that are more closely related to the topic we discussed, and we won't go into the rest of the sections for the time being.

(1) Serial number: In the process of establishing a connection, a random value generated by the computer is used as the initial serial number and passed to the receiving host through a SYN packet. Whenever data is sent, the serial number is incremented accordingly based on the number of bytes of data sent. This approach helps to solve the problem of out-of-order packets that can occur in network transmission.

(2) Acknowledgment Answer Number: The serial number of the data expected to be received next time, which is the serial number referred to in the Acknowledgment Reply (ACK). When the sender receives this acknowledgment reply, it is assumed that all data prior to the serial number has been successfully transmitted to the receiver. This mechanism is mainly used to solve the problem of packet loss that may occur during network transmission.

(3) Control bits:

  • ACK: When the bit is 1, the "acknowledgement response" takes effect. TCP stipulates that this bit must be set to 1 in all cases except the SYN packet that is sent when the connection is first established.
  • RST: When this bit is 1, it means that there is a problem with the TCP connection and must be forcibly disconnected.
  • SYN: When this position is 1, it means that you want to establish a connection, and a starting serial number will be set in the [Serial Number] field.
  • FIN: When this position is set to 1, it means that no more data will be sent in the future, and you want to end the connection. When both parties have finished communicating and want to disconnect, the two computers send each other TCP packets with the FIN bit set to 1.

A TCP connection is established

TCP is a protocol that requires a connection to be established before it can be used. Before the data can be transferred, the connection is established through a process called a "three-way handshake". The specific steps of how to shake hands can be seen in the figure below.

1. TCP three-way handshake process

In the beginning, both the client and the server are in the CLOSED state. First, the server actively listens on a port and is in the LISTEN state.

The first packet: a SYN packet

The client initializes the sequence number client_isn randomly, puts the sequence number in the sequence number field in the TCP header, and sets the SYN flag to 1 to indicate SYN Message. Then, the first SYN packet is sent to the server, indicating that a connection is initiated to the server, and the packet does not contain application-layer data, and then the client is in the SYN-SENT state.

The second packet: SYN+ACK packet

After receiving the SYN packet from the client, the server first initializes its own sequence number server_isn randomly, and then fills in the sequence number field of the TCP header, and then fills in the acknowledgment and reply number field of the TCP header in client_isn+1. Next, set the SYN and ACK flags to 1. Finally, the packet is sent to the client, which does not contain application layer data, and then the server is in the SYN-RCVD state.

The third packet: an ACK packet

After receiving the server-side packet, the client also responds to the server with the last reply packet, firstly, the TCP header ACK flag position of the reply packet is 1, secondly, the confirmation reply number field is filled in server_isn+1, and finally the packet is sent to the server, this time the packet can carry the data of the client to the server, and then the client is in the ESTABLISHED state.

After receiving the reply packet from the client, the server enters the ESTABLISHED state.

Use ENSP to build a simple experimental environment, as shown in the following figure

In order to give you an intuitive understanding of the three-way handshake process, the following is to capture the data packets of the three-way handshake through the Wireshark packet capture software.

Three-way handshake packets

(1) The first handshake marker

As you can see from the flag bit, the synchronization bit has a value, and the SYN:Syn synchronization bit is 1 when making a request

First handshake packet

(2) Second handshake marker

From the flag bit, it can be seen that the confirmation bit and the synchronization bit have values, and the response SYN+ACK: the Syn synchronization bit is 1, and the Acknowledgment confirmation bit is 1.

Second handshake packet

(3) The third handshake marker

As you can see from the flag bit, only the confirmation bit has a value, and the SYN:Acknowledgment confirmation bit is 1

Third handshake packet

Frequently Asked Interview Questions

1. Why does TCP establish a connection with a three-way handshake instead of two?

TCP connections require three handshakes instead of two, mainly to ensure that both sides can communicate smoothly and the connection is stable. On the first handshake, the client tells the server that it wants to establish a connection; The second handshake, the server replies that it is ready to accept the connection; The third handshake is a client reconfirmation, ensuring that both parties are ready to send the data. If there are only two handshakes, it can sometimes lead to an asymmetry between the client and the server, resulting in data loss or an unstable connection. So, with a three-way handshake, you can make sure that both sides are confirmed and ready for the data transfer that follows.

2. Why does TCP establish a connection with a three-way handshake instead of four?

TCP uses a three-way handshake instead of four to establish a connection because three is enough to confirm the status of both parties and synchronize the sequence numbers. The first handshake is when the client makes a request, the second is when the server responds, and the third is when the client reconfirms so that the connection is reliably established. If you change to a four-way handshake, it will increase unnecessary waiting time and waste of resources. A three-way handshake ensures that both parties are ready to communicate and that the connection is completed quickly and efficiently.

3. There is a network attack that exploits the vulnerability of TCP connection mechanism, do you know? How to solve this problem?

A cyber attack vector that exploits potential security vulnerabilities in the TCP connection establishment process is known as TCP SYN Flood attacks. This type of attack strategically takes advantage of the characteristics of the TCP three-way handshake protocol to complete the handshake process by sending a large number of SYN (Synchronous Sequence Number) request packets to the target server, but deliberately does not respond to the final ACK (Acknowledgment Response) packets. This behavior results in a large number of half-open connections opening on the target server, which in turn consumes its limited resources, such as memory and processing power, and ultimately makes it difficult or impossible for the server to serve legitimate users.

Solution:

  • SYN Cookies: Instead of allocating resources immediately when the server receives a SYN request, it generates an encrypted SYN cookie that will only actually establish a connection when it receives a legitimate ACK.
  • Limit SYN request rate: Configure a firewall or intrusion detection system (IDS) to limit the frequency of SYN requests to a certain IP address to prevent excessive requests.
  • Use load balancing: Distribute traffic across multiple servers and reduce the pressure on a single server.
  • Set Connection Timeout: Adjust the connection timeout setting of the server to reduce the duration of the waiting state.