First, TCP message format TCP/IP protocol details see the "TCP/IP protocol detailed" three volumes. The following is a TCP message format diagram:
Figure 1 TCP Message Format There are several fields that need to be highlighted under: (1) serial number: SEQ sequence number, which is 32 bits, is used to identify the byte stream sent from the TCP source end to the destination, which is flagged when the initiator sends the data. (2) Confirm serial number: ACK number, accounting for 32 digits, only ACK flag bit is 1 o'clock, confirm ordinal field is valid, ack=seq+1. (3) sign: A total of 6, namely Urg, ACK, PSH, RST, SYN, FIN, etc., the specific meaning is as follows: (A) URG: Emergency pointer (urgent pointer) valid. (B) ACK: Confirm the serial number is valid. (C) PSH: The receiving Party should submit this message to the application layer as soon as possible. (D) RST: Reset the connection. (E) SYN: Initiate a new connection. (F) FIN: Release a connection. be aware that: (A) do not confuse the ACK sequence ACK with the acknowledgment in the flag. (B) confirming party ack= Initiator req+1, paired at both ends. Tertiary handshake The so-called three-time handshake (three-way handshake) establishes a TCP connection, This means that when a TCP connection is established, a total of 3 packets are sent to the client and the server to confirm the connection establishment. In socket programming, this process is triggered by the client executing connect, as shown in the entire process:
Figure 2 TCP Three-time handshake (1) First handshake: client will set the flag bit SYN to 1, randomly generate a value of seq=j, and send the data packets to Server,client to enter the Syn_sent state, waiting for the server to confirm. (2) Second handshake: After the server receives the packet by the flag bit syn=1 knows the client request to establish a connection, The server resets the flag bit SYN and ACK to 1,ack=j+1, randomly generates a value of seq=k, and sends the data packets to the client to confirm the connection request, and the server enters the SYN_RCVD state. (3) Third handshake: After the client receives the acknowledgment, checks whether the ACK is j+1,ack 1, and if correct, resets the flag bit ACK to 1,ack=k +1, and the data packets sent to Server,server check if the ACK is K+1,ack is 1, if the connection is successful, the client and server into the established state, three times to complete the handshake, The data can then be transferred between the client and the server. Why can't I just shake hands two times? with the detailed steps of the three handshake, you can analyze why it takes three handshakes instead of two handshakes. Three-time handshake objective: to eliminate the disturbance of the old connection request SYN message to the new connection, synchronize the serial number and confirmation number of both sides and exchange TCP window size information. Imagine: If there is only two handshake, then the server only sends ACK packets to the client after the second handshake, at which point the client establishes a connection with the server side. Under this handshake rule,: assumes that if the sending network is blocked, B sends two SYN requests to a due to the TCP/IP protocol timed retransmission mechanism. X1 and x2, respectively, and TCP windows that cause X1 connection requests and X2 connection requests are large because of blocking reasonsSmall and data message length inconsistent, if the final X1 reached A,x2 lost, at this time a with B established a X1 connection, at this point, because AB has been connected, B can not know whether to request X1 or request x2 with a B connection, if B is the most recent request X2 with a to establish a connection, at this time B began to send data to a, The data message length is x2 defined length, the window size is X2 defined size, and a connection is X1, its packet length size is x1,tcp window size x1 definition, which causes a to process data error. Obviously, if a receives a request for B, A to B sends a SYN request Y3 (Y3 's window size and datagram length are defined as X1), Confirming that the window size and datagram length defined by the connection are X1, a confirms that the answer establishes the X1 connection, and then begins to transfer the data to each other, so there is no data processing error. syn Attack: during three handshake, after the server sends Syn-ack, the TCP connection before receiving the ACK from the client is called a semi-connection (Half-open Connect), and the server is at Syn_ RCVD status when the ACK is received, the server goes to the established state. SYN attack is the client in a short period of time to forge a large number of non-existent IP address, and to the server to continuously send SYN packets, the server replies to confirm the package, and wait for client confirmation, because the source address is not present, so the server needs to continue to resend until time-out, These bogus SYN packets take the time to occupy the disconnected queue, causing the normal SYN request to be discarded because the queue is full, causing network congestion and even system paralysis. SYN attack is a typical DDoS attack, the way to detect SYN attacks is very simple, that is, when the server has a large number of semi-connected state and the source IP address is random, you can conclude that the SYN attack, using the following command can be used to make the current: #netstat-nap | grep syn_recv Location Wave three handshake familiar, four times wave estimated that the so-called Four waves (Four-way Wavehand) that terminates the TCP connection, When disconnecting a TCP connection, the client and server are required to send a total of 4 packets to confirm the disconnection of the connection. In socket programming, this process is triggered by executing close on either side of the client or service side, as shown in the entire process:
Figure 3 TCP Four waves because the TCP connection is full duplex, each direction must be closed separately, the principle is that when a party completes the data sending task, send a fin to terminate the connection in this direction, the receipt of a fin just means that there is no data flow in this direction, no longer receive data , but the data can still be sent on this TCP connection until fin is sent in this direction. The first party to close will perform the active shutdown, while the other side performs a passive shutdown, as described. (1) First wave: The client sends a fin to turn off the client to server data transfer, the client enters the fin_wait_1 state. (2) Second wave: After receiving fin, the server sends an ACK to the client, confirming that the sequence number is received sequence number +1 (same as SYN, one fin occupies a serial number), and the server enters the close_wait state. (3) Third wave: The server sends a fin to shut down the server-to-client data transfer, and the server enters the Last_ack state. (4) The fourth wave: After the client receives fin, the client enters the TIME_WAIT state, and then sends an ACK to the server, confirming that the serial number is received +1,server enter the closed state, complete four waves. The above is the case that one side actively shuts down, the other side is passively closed, in fact, there will also be a case of initiating active shutdown, the specific process such as:
Figure 4 at the same time waving process and status in the already very clear, here no longer repeat, you can refer to the previous four waves wave resolution steps. Iv. notes on the three-time handshake and four waves usually have a typical face test, which is presented for the needs of the XDJM for reference: (1) three times what is the handshake or process? How about four handshakes? The answer to the previous analysis is. (2) Why the connection is three times the handshake, but close the connection is four times waving it? This is because the server is in the listen state, after receiving the SYN message to establish the connection request, the ACK and SYN are placed in a message sent to the client. And when the connection is closed, when the other side of the fin message, only to indicate that the other party no longer send the data but also can receive data, you may not all the data are sent to each other, so you can immediately close, you can send some data to each other, then send fin message to the other side to express the consent to now close the connection, Therefore, your own ACK and fin are generally divided into the development of send.
(turn) TCP/IP three-time handshake with four waves
