Analysis of three-time handshake process for TCP protocol
TCP (transmission Control Protocol) transmission protocol
TCP is the host-to-host layer of the Transmission Control Protocol, providing a reliable connection service, using three-time handshake confirmation to establish a connection:
The bit code is the TCP flag bit, there are 6 kinds of marking: SYN (synchronous set up) ACK (acknowledgement acknowledgment) PSH (push transfer) FIN (finish end) RST (reset reset) URG (Urgent emergency)
Sequence number (sequential) Acknowledge number (confirmation)
First handshake: Host a send bit code for syn=1, randomly generate SEQ number=1234567 packet to the server, Host B by Syn=1 know, a requirements to establish online;
Second handshake: Host B receives the request to confirm the online information, send an ACK to a number= (host A's seq+1), syn=1,ack=1, randomly generate seq=7654321 packets
Third handshake: Host a after receiving check ACK number is correct, that is, the first sent Seq Number+1, and the bit code ACK is 1, if correct, host A will send an ACK number= (Host B seq+1), ack= 1, Host B is received after confirming the SEQ value and ack=1 The connection was established successfully.
To complete the three handshake, host A and Host B start transmitting data.
In the TCP/IP protocol, the TCP protocol provides a reliable connection service with a three-time handshake to establish a connection.
First handshake: When a connection is established, the client sends a SYN packet (SYN=J) to the server and enters the Syn_send state, waiting for the server to confirm;
Second handshake: The server receives the SYN packet, must confirm the customer's SYN (ACK=J+1), and also sends itself a SYN packet (syn=k), namely the Syn+ack packet, when the server enters the SYN_RECV state; the third handshake: the client receives the server's Syn+ack package, Send acknowledgment packet ack (ACK=K+1) to the server, the packet is sent, the client and server enter the established state, complete three handshake. Three handshake is completed and the client and server begin to transfer data.
Instance:
IP 192.168.1.116.3337 > 192.168.1.123.7788:s 3,626,544,836:3,626,544,836
IP 192.168.1.123.7788 > 192.168.1.116.3337:s 1739326486:1739326486 ack 3626544837
IP 192.168.1.116.3337 > 192.168.1.123.7788:ack 1739326487,ack 1
First handshake: 192.168.1.116 sends a bit code syn=1, randomly generates a SEQ number=3626544836 packet to 192.168.1.123,192.168.1.123 by syn= 1 know 192.168.1.116 requirements to establish online;
Second handshake: 192.168.1.123 to confirm the online information after receiving the request, send Ack number=3626544837,syn=1,ack=1 to 192.168.1.116, randomly generate seq=1739326486 packet;
Third handshake: 192.168.1.116 received after checking ACK number is correct, that is, the first time the SEQ Number+1 sent, and the bit code ACK is 1, if correct, 192.168.1.116 will send an ACK again number=1739326487 , Ack=1,192.168.1.123 received after confirmation seq=seq+1,ack=1 the connection was established successfully.
Graphic:
A three-time handshake process (Fig. 1, fig. 2)
(Fig. 1)
(Fig. 2)
The first handshake of the flag bit (Fig. 3)
We can see that there is only one sync bit inside the flag, which is the request (SYN)
(Fig. 3)
The second handshake's flag bit (Fig. 4)
We can see that there is a confirmation bit and a sync bit inside the flag, which is the answer (SYN + ACK).
(Fig. 4)
The sign of the third handshake (Figure 5)
We can see that there is only one confirmation bit inside the flag, that is, re-confirm (ACK).
(Fig. 5)
A full three-time handshake is the request---answer---confirm again
------------------------------------------------------------------------------------------------
TCP Three-time handshakeThe so-called three-time handshake (three-way handshake) means that when a TCP connection is established, the client and server are required to send a total of 3 packets. The purpose of the three-time handshake is to connect the server to the specified port, establish a TCP connection, and synchronize the serial number and confirmation number of both parties and Exchange TCP window size information. In socket programming, the client executes connect (). Will trigger a three-time handshake.
- Handshake for the first time:
The client sends a TCP SYN flag where 1 of the packet indicates the port of the server to which the client intends to connect, as well as the initial sequence number x, which is saved in the header Number field of the Sequence.
- Second handshake:
The server sends back a confirmation packet (ACK) reply. That is, the SYN flag bit and the ACK flag bit are both 1, and the confirmation ordinal (acknowledgement number) is set to the customer's I S n plus 1 to. that is x+1.
- Handshake for the third time.
The client sends a confirmation packet (ACK) again to the 0,ACK flag bit of 1. and sends the server an ACK to the ordinal field +1, which is sent to the other party in the OK field. and write +1 of the isn in the data segment.
SYN attack
During the three handshake, after the server sends Syn-ack, the TCP connection before receiving the ACK from the client is called a half-connection (Half-open Connect). The server is in the SYN_RECV state. When an ACK is received, the server goes into the established state.
SYN attack is to attack the client in a short period of time to forge a large number of non-existent IP addresses, to the server constantly send SYN packets, the server replies to confirm the packet, and wait for the customer's confirmation, because the source address is not present, the server needs to continue to resend until time-out, these forged SYN packets will occupy the disconnected queue Normal SYN requests are discarded, the target system is running slowly, and serious people cause network congestion and even system paralysis.
A SYN attack is a typical DDoS attack. The detection of SYN attacks is very convenient, when you see a large number of semi-connected state on the server, especially the source IP address is random, basically can be concluded that this is a SYN attack. Under Linux, you can check whether a SYN attack
Netstat-n-P TCP | grep syn_recv
In general, the newer TCP/IP protocol stack modifies this process to prevent SYN attacks and modify TCP protocol implementations. The main methods are SynAttackProtect protection mechanism, SYN-cookie technology, increasing the maximum half-connection and shortening time-out.
However, the SYN attack is not completely protected.
TCP four times Wave
The removal of TCP connections requires sending four packets, so called four waves (Four-way handshake). Either the client or the server can initiate a wave gesture, and in socket programming, any party performs a close () operation to generate a wave.
Three-time handshake and four wave interpretation of TCP/IP