Three-way handshake
It is the three-way handshake process established by the TCP connection captured by the wireshark packet capture tool:
Http://www.cnblogs.com/hnrainll/archive/2011/10/14/2212415.html
Compared with socket developers, the TCP creation and link Division processes are automatically created by the TCP/IP protocol stack. therefore, developers do not need to control this process. however, it is helpful to understand the underlying TCP operation mechanism.
In addition, a written examination such as a network protocol engineer is almost mandatory. the enthusiasm of the company for this issue is beyond my expectation :-). This problem is sometimes emphasized before the interview in the morning and repeated once. In the afternoon, almost everyone is asked this question. So here we will explain these two processes in detail. TCP three-way handshake The so-called three-way handshake means that when a TCP connection is established, the client and the server need to send a total of three packets. The purpose of the three-way handshake is to connect to the specified port of the server, establish a TCP connection, synchronize the serial numbers and validation numbers of both parties, and exchange the TCP window size information. in socket programming, when the client executes connect. Three handshakes are triggered.
Syn Attack
During the three-way handshake, after the server sends the SYN-ACK, the TCP connection before receiving the ACK from the client is called a semi-connection (half-open Connect ). the server is in the syn_recv status. when Ack is received, the server is transferred to the established status.
SYN attacks are attacks on clients that forge a large number of nonexistent IP addresses in a short period of time. They constantly send Syn packets to the server. The server replies to the confirmation packet and waits for the customer to confirm that the source address does not exist, the server needs to continuously resend to timeout. These forged Syn packets will occupy the unconnected queue for a long time, normal SYN requests will be discarded, and the target system will run slowly, serious cases may cause network congestion or even system paralysis.
SYN attack is a typical DDOS attack. It is very convenient to detect SYN attacks. When you see a large number of semi-connection statuses on the server, especially when the source IP address is random, it can basically be determined that this is a SYN attack. in Linux, you can run the following command to detect SYN Attacks:
Netstat-n-p tcp | grep syn_recv
Generally, the new TCP/IP protocol stack fixes the process to prevent SYN attacks and modifies the TCP protocol implementation. The main methods include SynAttackProtect protection mechanism, syn cookies technology, maximum semi-connection addition, and timeout reduction.
However, SYN attacks cannot be completely prevented.
TCP Four Waves
The removal of the TCP connection requires four packets, so it is called four-way handshake ). The client or server can actively initiate a wave action. In socket programming, either party can execute the close () operation to generate a wave operation.
For more information, see Wireshark packet capture. The measured packet capture results are not strictly in the wave sequence. I guess it is caused by a short interval.
Source URL: http://bluedrum.cublog.cn
TCP three-way handshake process
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
