TCP connection: three handshakes and four waves

Compared with socket developers, the TCP creation process and link division process areTCP/IP protocol stackAutomatically created. Therefore, developers do not need to control this process, but it is quite helpful to understand the underlying TCP operating mechanism.

So here we will explain these two processes in detail.

TCP three-way handshake

The so-called three-way handshake means that when a TCP connection is establishedClientAndServerA total of three packages are sent.

Three-way handshakePurposeYesConnect to the serverSpecifyPort, Establishes a TCP connection, synchronizes the serial numbers and validation numbers of both parties, and exchanges
TCP window size. In socket programming, when the client executes connect. Three handshakes are triggered.

 

• First handshake:

ClientSend a packet with tcp syn flag position 1 to specify the port of the server to which the customer intends to connect, and the initial serial number X, which is saved in the sequencenumber field of the packet header.

 

• Second handshake:

Server backConfirm package(ACK) response. That isSYN flag bitAndACK flagWhen both bits and bits are 1, acknowledgement
Number) is set to the customer's ISN plus 1 to. x + 1.

• The third handshake.

 ClientResendConfirm package(ACK) SYN flag is 0, and ACK flag is 1. in addition, the serial number field + 1 sent from the server is placed in the confirmation field and sent to the other party. and write the ISN's + 1 in the data segment.

Syn Attack

InThree-way handshakeIn process,ServerAfter the SYN-ACK is sent, the TCP connection before receiving the ACK from the client is calledSemi-join(Half-Open
Connect). The server is in the syn_recv state. When Ack is received, the server is transferred to the established state.

Syn AttackIs to attack the client in a short timeForgeryLargeThe specified IP address does not exist., Continuously send Syn packets to the server, the server replies to the confirmation packet, and waits for the customer's confirmation. Because the source address does not exist, the server needs to resend continuously until it times out.Counterfeit SYN PacketWill be used for a long timeUnconnected queueNormal SYN requests are discarded, and the target system runs slowly. In severe cases, network congestion or even system paralysis occurs.

SYN attacks are typical.DDoS Attack. It is very convenient to detect SYN attacks. When you see a large number of semi-connection statuses on the server, especially when the source IP address is random, it can basically be determined that this is a SYN attack. in Linux, you can run the following command to detect SYN Attacks:

Netstat-n-ptcp | grep syn_recv

Generally, the new TCP/IP protocol stack fixes the process to prevent SYN attacks and modifies the TCP protocol implementation. The main methods include SynAttackProtect protection mechanism, Syn
Cookies technology, increase the maximum half connection, and shorten the timeout time.

However, SYN attacks cannot be completely prevented.

TCP Four Waves

The removal of the TCP connection requires four packets, so it is called Four-wayhandshake ). Client or serverCan be actively initiatedIn socket programming, the close () operation can be performed by any party.