one, TCP message formatThe following is a TCP message format diagram:
There are several fields that need to be highlighted below:
(1) serial number: SEQ sequence number, which is 32 bits, is used to identify the byte stream sent from the TCP source end to the destination, which is flagged when the initiator sends the data.
(2) Confirm the serial number: ACK number, accounting for 32 bits, only the ACK mark bit is 1 o'clock, confirm the ordinal field is valid, ack=seq+1.
(3) sign: A total of 6, namely Urg, ACK, PSH, RST, SYN, FIN, etc., the specific meaning is as follows:
(A) URG: The emergency pointer (urgent pointer) is effective.
(B) ACK: Confirm the serial number is valid.
(C) PSH: The receiving Party should submit this message to the application layer as soon as possible.
(D) RST: Resets the connection.
(E) SYN: Initiates a new connection.
(F) FIN: Release a connection.
Tertiary handshake
The so-called three-time handshake (three-way handshake) establishes a TCP connection, which means that when a TCP connection is established, a total of 3 packets are sent by the client and the server to confirm the establishment of the connection. in socket programming, this process is triggered by the client executing connect, as shown in the entire process:
(1) The first handshake: the client will be the flag bit SYN set to 1, randomly generate a value seq=j, and the data packets sent to server,client into the syn_sent state, waiting for the serverThe .
(2) Second handshake: After the server receives the packet by the flag bit syn=1 knows the client request establishes the connection, the server sets the flag bit SYN and ACK to 1,ack=j+1, randomly produces avalue Seq=k and packets the data to the client to confirm the connection request, and the server enters the SYN_RCVD state.
(3) Third handshake: After the client receives the acknowledgment, checks whether the ACK is j+1,ack 1, and if correct, resets the flag bit ACK to 1,ack=k+1 and sends the data packets to the server.The server checks if the ACK is k+1,ack 1, if correct, the connection is successful, the client and server enter the established state, the three handshake is completed, and then the client and the servercan start transmitting data.
SYN attack:
In the three-time handshake process, after the server sends Syn-ack, the TCP connection before the client's ACK is called a half-connection (Half-open Connect), and the server is in SYN_RCVD state.when an ACK is received, the server is transferred to the established state. SYN attack is the client in a short period of time to forge a large number of non-existent IP address, and to the server to continuously send SYN packets, the server replies to confirmpackage, and wait for the client to confirm that because the source address is not present, the server needs to be constantly re-sent until the timeout, these forged SYN packets will produce time to occupy the disconnected queue, resulting in a normal SYNrequests are discarded because the queue is full, causing network congestion and even system paralysis. SYN attack is a typical DDoS attack, the way to detect SYN attacks is very simple, that is, when the server has a large number of semi-connectedand the source IP address is random, you can conclude that a SYN attack has been made, using the following command to make it current:
#netstat-nap | grep syn_recv
Location waved.
Three times handshake is familiar, four times handshake estimate is hehe, so-called four times Wave (Four-way Wavehand) namely terminates the TCP connection, is refers to disconnects a TCP connection, needs the client and the serviceEnd Totalsend a total of 4 packets to confirm the disconnection of the connection. In socket programming, this process is triggered by executing close on either side of the client or service side, as shown in the entire process:
because TCP connections are full-duplex, each direction must be closed separately, the principle is that when a party completes the data sending task, a fin is sent to terminate the connection in this direction,to a fin just means there is no data flow in this direction, i.e. no more data is received, but the data can still be sent on this TCP connection until fin is sent in this direction. First inThe closed side of the line will perform the active shutdown while the other side performs a passive shutdown, as described.
(1) First wave: The client sends a fin to turn off the client to server data transfer, the client enters the fin_wait_1 state. (2) Second wave: After receiving fin, the server sends an ACK to the client, confirming that the serial number is received sequence number +1 (same as SYN, one fin occupies a serial number), and the server enters Close_waitstate.
(3) Third wave: The server sends a fin to shut down the server-to-client data transfer, and the server enters the Last_ack state.
(4) The fourth wave: After the client receives fin, the client enters the TIME_WAIT state, then sends an ACK to the server, confirming that the serial number is received +1,server enter closed state, completewaved four times.
The above is the case that one side actively shuts down, the other side is passively closed, in fact, there will also be a case of initiating active shutdown, the specific process such as:
Process and status in the already very clear, here no longer repeat, you can refer to the previous four waves wave resolution steps.
Iv. notes
On the three-time handshake and four waves usually have a typical face test, which is presented for the needs of the XDJM for reference:
(1) What is the three-time handshake or process? How about four handshakes? The answer to the previous analysis is.
(2) Why the connection is three times the handshake, but close the connection is four times waving it?
This is because the server is in the listen state, after receiving the SYN message to establish the connection request, the ACK and SYN are placed in a message sent to the client. When the connection is closed, when the other's fin message is received,only indicates that the other party no longer sends the data, but also can receive data, the other side may not all the data are sent to each other, so you can immediately close, you can send some data to each other, and then sendfin message to the other side to express consent to now close the connection, therefore, your own ACK and fin are generally divided into the development of send.
TCP/IP protocol three-time handshake and four-time handshake process resolution (RPM)
