Principle of three-way handshake for TCP connections

The three-way handshake mechanism of TCP connection TCP is connection-oriented. The so-called connection-oriented mechanism means that a connection must be established before data transmission when both parties communicate with each other, finally, the three processes of removing the connection and TCP takes three steps to establish the connection: the first step is to send a TCP packet containing the SYN (Synchronize) mark by the request end (client, the SYN synchronous packet indicates the port used by the client and the initial serial number of the TCP connection. Step 2, the server returns a SYN + ACK packet after receiving the SYN packet from the client, indicates that the client request is accepted, and the TCP serial number is incremented by one. ACK indicates Acknowledgement ). In step 3 of www.2cto.com, the client also returns an ACK message to the server, and the TCP serial number is also added to this TCP connection. Then start the second step of communication: data processing. This is the Three-way Handshake TCP Handshake ). Simply put: (C: client, S: Server) C: SYN to S: if the request is successful, return to C (SYN + ACK) C: if the request is successful, it is normal to connect to S (ACK) www.2cto.com or above, but the following is true: Assume that a C program disappears after sending SYN to S for no reason, S cannot receive the c ack packet after sending the SYN + ACK response packet (the third handshake cannot be completed ), in this case, S will generally retry (re-send SYN + ACK to the client) and wait for a while before discarding this unfinished connection. The length of this time is called SYN Timeout, generally, this time is an order of magnitude of minutes (about 30 seconds-2 minutes). a c exception causes a thread of S to wait for 1 minute, however, if a malicious attacker simulates this situation in large quantities, S will consume a lot of resources to maintain a very large semi-connection list-tens of thousands of semi-connections, even simple storage and traversal will consume a lot of CPU time and memory, not to mention the ongoing SYN + operation on the IP addresses in this list. ACK retry. In fact, if S's TCP/IP stack is not powerful enough, the final result is often Stack Overflow and crash-even if S's system is powerful enough, S will also be busy processing the attacker's forged TCP connection requests and ignore the normal requests of the customer (after all, C's normal request rate is very small). From the perspective of normal customers, S has no response, which is called SYN Flood attacks on the server ).