One, TCP message format
For more information on TCP/IP protocol, see the three volumes of the TCP/IP protocol. The following is a TCP message format diagram:
Figure 1 TCP Message Format
There are several fields that need to be highlighted below:
(1) Serial number: SEQ sequence number, which is 32 bits, is used to identify the byte stream sent from the TCP source end to the destination, which is flagged when the initiator sends the data.
(2) Confirm the serial number: ACK number, accounting for 32 bits, only the ACK mark bit is 1 o'clock, confirm the ordinal field is valid, ack=seq+1.
(3) Sign: A total of 6, namely Urg, ACK, PSH, RST, SYN, FIN, etc., the specific meaning is as follows:
(A) URG: The emergency pointer (urgent pointer) is effective.
(B) ACK: Confirm the serial number is valid.
(C) PSH: The receiving Party should submit this message to the application layer as soon as possible.
(D) RST: Resets the connection.
(E) SYN: Initiates a new connection.
(F) FIN: Release a connection.
It is important to note that:
(A) Do not confuse the ACK ordinal ack with the acknowledgment in the flag.
(B) Confirmation Party ack= Initiator req+1, paired on both ends.
Tertiary handshake
The so-called three-time handshake (three-way handshake) establishes a TCP connection, which means that when a TCP connection is established, a total of 3 packets are sent by the client and the server to confirm the establishment of the connection. In socket programming, this process is triggered by the client executing connect, as shown in the entire process:
Figure 2 TCP three-time handshake
(1) First handshake: The client will set the flag bit SYN to 1, randomly generate a value seq=j, and send the data packets to server,client into the syn_sent state, waiting for the server to confirm.
(2) Second handshake: After the server receives the packet by the flag bit syn=1 knows the client request to establish a connection, the server sets the flag bit SYN and ACK to 1,ack=j+1, randomly generates a value seq=k, and sends the data packets to the client to confirm the connection request , the server enters the SYN_RCVD state.
(3) Third handshake: After the client receives the acknowledgment, checks whether the ACK is j+1,ack 1, and if correct, resets the flag bit ACK to 1,ack=k+1 and sends the data packets to Server,server to check if the ACK is K+1,ack 1, If the connection is successful, the client and server enter the established state, complete three handshake, and then the client and server can start transmitting data.
SYN attack:
In the three-time handshake process, after the server sends Syn-ack, the TCP connection before the client's ACK is called a half-connection (Half-open Connect), and the server is in SYN_RCVD state when the ACK is received. The server is transferred to the established state. SYN attack is the client in a short period of time to forge a large number of non-existent IP address, and to the server to continuously send SYN packets, the server replies to confirm the package, and wait for client confirmation, because the source address is not present, so the server needs to continue to resend until time-out, These bogus SYN packets take the time to occupy the disconnected queue, causing the normal SYN request to be discarded because the queue is full, causing network congestion and even system paralysis. SYN attack is a typical DDoS attack, the way to detect a SYN attack is very simple, that is, when the server has a large number of semi-connected state and the source IP address is random, you can conclude that the SYN attack, using the following command can be used to present:
#netstat-nap | grep syn_recv
Location waved.
Three times handshake familiar, four times wave estimate, the so-called Four wave (Four-way Wavehand) that is to terminate the TCP connection, that is, when disconnecting a TCP connection, the client and the server will need to send a total of 4 packets to confirm the disconnection of the connection. In socket programming, this process is triggered by executing close on either side of the client or service side, as shown in the entire process:
Figure 3 TCP Four waves
Because the TCP connection is full-duplex, each direction must be closed separately, the principle is that when a party completes the data sending task, send a fin to terminate the connection in this direction, the receipt of a fin just means that there is no data flow in this direction, no longer receive data, However, the data can still be sent on this TCP connection until fin is sent in this direction. The first party to close will perform the active shutdown, while the other side performs a passive shutdown, as described.
(1) First wave: The client sends a fin to turn off the client to server data transfer, the client enters the fin_wait_1 state.
(2) Second wave: After receiving fin, the server sends an ACK to the client, confirming that the sequence number is received sequence number +1 (same as SYN, one fin occupies a serial number), and the server enters the close_wait state.
(3) Third wave: The server sends a fin to shut down the server-to-client data transfer, and the server enters the Last_ack state.
(4) The fourth wave: After the client receives fin, the client enters the TIME_WAIT state, and then sends an ACK to the server, confirming that the serial number is received +1,server enter the closed state, complete four waves.
The above is the case that one side actively shuts down, the other side is passively closed, in fact, there will also be a case of initiating active shutdown, the specific process such as:
Figure 4 waving at the same time
Process and status in the already very clear, here no longer repeat, you can refer to the previous four waves wave resolution steps.
Iv. notes
On the three-time handshake and four waves usually have a typical face test, which is presented for the needs of the XDJM for reference:
(1) What is the three-time handshake or process? How about four handshakes? The answer to the previous analysis is.
(2) Why the connection is three times the handshake, but close the connection is four times waving it?
This is because the server is in the listen state, after receiving the SYN message to establish the connection request, the ACK and SYN are placed in a message sent to the client. And when the connection is closed, when the other side of the fin message, only to indicate that the other party no longer send the data but also can receive data, you may not all the data are sent to each other, so you can immediately close, you can send some data to each other, then send fin message to the other side to express the consent to now close the connection, Therefore, your own ACK and fin are generally divided into the development of send.
TCP/IP protocol three handshake and four waves