Illustrated TCP three-way handshake: building a network session step by step

In Internet communications, ensuring the reliability of data transmission is crucial. The TCP three-way handshake process is designed to solve this problem. Before establishing a connection, the client and server need to confirm each other's existence and readiness to prevent errors caused by network delays or data loss. Through the three-way handshake, both parties can not only synchronize the sequence number, but also effectively establish a stable communication link, thereby ensuring the smooth transmission of subsequent data.

Basic knowledge of TCP

Let's explore the TCP header format. The color-coded fields are the ones that are most relevant to our topic, and we won't go into the rest for now.

(1) Sequence number: During the connection establishment process, a random value generated by a computer is used as the initial sequence number and is passed to the receiving host via the SYN packet. Each time data is sent, the sequence number is incremented according to the number of data bytes sent. This method helps to solve the problem of packet disorder that may occur during network transmission.

(2) Acknowledgement number: The next expected data sequence number is the sequence number in the acknowledgment (ACK). When the sender receives this acknowledgment, it can be considered that all data before this sequence number has been successfully transmitted to the receiver. This mechanism is mainly used to solve the problem of data packet loss that may occur during network transmission.

(3) Control bit:

• ACK: When this bit is 1, the "acknowledgement" is in effect. TCP stipulates that this bit must be set to 1 in all cases except the SYN packet sent when the connection is first established.
• RST: When this bit is 1, it means that there is a problem with the TCP connection and it must be forcibly disconnected.
• SYN: When this position is 1, it means that you want to establish a connection, and a starting sequence number will be set in the [Sequence Number] column.
• FIN: When this bit is set to 1, it means that no more data will be sent and the connection is terminated. When both parties have completed the communication and want to disconnect, the two computers will send each other TCP packets with the FIN bit set to 1.

TCP connection establishment

TCP is a protocol that requires a connection to be established before it can be used. Before starting to transmit data, both parties must go through a process called a "three-way handshake" to establish the connection. The specific steps of the handshake can be seen in the figure below.

1. TCP three-way handshake process

At the beginning, both the client and the server are in the CLOSED state. First, the server actively listens to a port and is in the LISTEN state.

The first message: SYN message

The client will randomly initialize the sequence number client_isn, put this sequence number in the sequence number field of the TCP header, and set the SYN flag to 1, indicating a SYN message. Then it sends the first SYN message to the server, indicating that a connection is initiated to the server. This message does not contain application layer data, and then the client is in the SYN-SENT state.

The second message: SYN+ACK message

After receiving the SYN message from the client, the server first randomly initializes its own sequence number server_isn, fills this sequence number into the sequence number field of the TCP header, and then fills the confirmation response number field of the TCP header into client_isn+1, and then sets the SYN and ACK flags to 1. Finally, the message is sent to the client, which does not contain application layer data, and then the server is in the SYN-RCVD state.

The third message: ACK message

After the client receives the message from the server, it must also respond to the server with the last reply message. First, the ACK flag in the TCP header of the reply message is set to 1, and then the confirmation number field is filled with server_isn+1. Finally, the message is sent to the server. This message can carry data from the client to the server, and then the client is in the ESTABLISHED state.

After the server receives the response message from the client, it also enters the ESTABLISHED state.

Build a simple experimental environment through ENSP, as shown below

In order to give you an intuitive understanding of the three-way handshake process, the following uses the Wireshark packet capture software to capture the data packets of the three-way handshake.

Three-way handshake packet

(1) First handshake flag

From the flag bit, we can see that the synchronization bit has a value. When making a request SYN:Syn, the synchronization bit is 1

First handshake packet

(2) Second handshake flag

From the flag bit, we can see that the confirmation bit and synchronization bit have values. When responding SYN+ACK: the Syn synchronization bit is 1 and the Acknowledgment confirmation bit is 1.

Second handshake packet

(3) The third handshake flag

From the flag bit, we can see that only the confirmation bit has a value, and then reconfirm SYN: Acknowledgment confirmation bit is 1

The third handshake packet

Common interview questions

1. Why does TCP need three handshakes to establish a connection instead of two?

TCP connection requires three handshakes instead of two, mainly to ensure that both sides can communicate smoothly and the connection is stable. In the first handshake, the client tells the server that it wants to establish a connection; in the second handshake, the server replies that it is ready to accept the connection; the third handshake is the client confirming again to ensure that both parties are ready to send data. If there are only two handshakes, sometimes it may cause an unequal situation between the client and the server, resulting in data loss or unstable connection. Therefore, through the three-way handshake, it can be ensured that both sides have confirmed and are ready for subsequent data transmission.

2.Why does TCP need three handshakes instead of four to establish a connection?

TCP uses three handshakes instead of four to establish a connection because three times are enough to confirm the status of both parties and synchronize the sequence numbers. The first handshake is the client sending a request, the second handshake is the server responding, and the third handshake is the client confirming again, so that the connection can be established reliably. If it is changed to a four-way handshake, it will increase unnecessary waiting time and waste resources. The three-way handshake can ensure that both parties are ready to communicate and complete the connection quickly and efficiently.

3. Do you know that there is a network attack that exploits a vulnerability in the TCP connection establishment mechanism? How can this problem be solved?

A network attack method that exploits potential security vulnerabilities in the TCP connection establishment process is called TCP SYN Flood attack. This type of attack strategically exploits the characteristics of the TCP three-way handshake protocol by sending a large number of SYN (synchronization sequence number) request messages to the target server, but deliberately not responding to the final ACK (acknowledgement) message to complete the handshake process. This behavior will cause a large number of half-open connections to be opened on the target server, thereby consuming its limited resources, such as memory and processing power, and ultimately making it difficult or impossible for the server to provide services to legitimate users.

Solution:

• SYN Cookies: When the server receives a SYN request, it does not immediately allocate resources. Instead, it generates an encrypted SYN Cookie and only establishes a connection when it receives a legitimate ACK.
• Limit the SYN request rate: Configure a firewall or intrusion detection system (IDS) to limit the SYN request frequency of a certain IP address to prevent excessive requests.
• Use load balancing: Distribute traffic to multiple servers to reduce the pressure on a single server.
• Set connection timeout: Adjust the server's connection timeout settings to reduce the duration of the waiting state.