Three-way handshake and four waves for TCP/IP Protocol Resolution
I. TCP Message format
For more information about the TCP/IP protocol, see "TCP/IP protocol details. The following figure shows the TCP packet format:
Figure 1 TCP Message format
There are several fields that need to be described below:
(1) sequence number: Seq number, which occupies 32 bits. It is used to identify the byte stream sent from the TCP source end to the target end. It is marked when the initiator sends data.
(2) Check serial number: Ack serial number, which occupies 32 bits. The check result is valid only when ACK flag is 1. Ack = Seq + 1.
(3) Signs: there are 6 in total, including URG, ACK, PSH, RST, SYN, and FIN. The meanings are as follows:
(A) URG: urgent pointer is valid.
(B) ACK: Check whether the serial number is valid.
(C) PSH: the receiver should send the packet to the application layer as soon as possible.
(D) RST: reset the connection.
(E) SYN: initiate a new connection.
(F) FIN: releases a connection.
Note that:
(A) Do not confuse Ack with ACK in the flag.
(B) the validator Ack = the initiator Req + 1 and the two ends are paired.
2. Three-way handshake
The so-called Three-Way Handshake (Three-Way Handshake) is to establish a TCP connection, the client and the server need to send a total of Three packets to confirm the establishment of the connection. In socket programming, the client executes connect to trigger this process. The entire process is shown in:
Figure 2 TCP three-way handshake
(1) first handshake: the Client sets the flag SYN to 1, generates a random value seq = J, and sends the packet to the Server. The Client enters the SYN_SENT status and waits for confirmation from the Server.
(2) second handshake: After the Server receives the data packet, the flag SYN = 1 knows the Client request to establish a connection. The Server sets both the flag SYN and ACK to 1, ack = J + 1, generates a random value seq = K and sends the packet to the Client to confirm the connection request. The Server enters the SYN_RCVD state.
(3) third handshake: after the Client receives the confirmation, it checks whether ack is J + 1 and ACK is 1. If yes, it sets the flag ACK to 1, ack = K + 1 and send the packet to the Server. The Server checks whether ack is K + 1 and ACK is 1. If yes, the connection is established successfully, the Client and Server enter the ESTABLISHED status, complete three handshakes, and then the Client and Server can start to transmit data.
SYN Attack:
In the three-way handshake process, after the Server sends the SYN-ACK, the TCP connection before receiving the ACK from the Client is called a semi-connection (half-open connect), the Server is in the SYN_RCVD state, when the ACK is received, server to the status of ESTABLISHED. SYN attacks are the process where the Client spoofs a large number of nonexistent IP addresses in a short period of time and continuously sends SYN packets to the Server. The Server replies to the confirmation packet and waits for confirmation from the Client. Because the source address does not exist, therefore, the Server needs to resend until it times out. These forged SYN packets occupy the production time in the unconnected queue, causing normal SYN requests to be discarded because the queue is full, this may cause network congestion or even system paralysis. SYN attacks are a typical DDOS attack. The method of detecting SYN attacks is very simple, that is, when the Server has a large number of semi-connections and the source IP address is random, you can determine that the SYN attack has been triggered. Use the following command to enable the current attack:
# Netstat-nap | grep SYN_RECV
Three or four waves
Three-Way handshakes are familiar. The so-called Four-Way wave ends the TCP connection, that is, when a TCP connection is disconnected, the client and the server need to send a total of four packets to confirm the disconnection. In socket programming, this process is triggered by the client or the server side to execute close. The entire process is shown in:
Figure 3 TCP Four Waves
Due to the full duplex of TCP connections, each direction must be closed independently. This principle is that after one party completes the data transmission task, send a FIN to terminate the connection in this direction. If a FIN is received, it means that no data flow is sent to the upstream side, that is, no data will be received, however, data can still be sent over the TCP connection until FIN is also sent in this direction. First, the party that closes the service will take the initiative to close the service, and the other party will execute the passive close service, which is described as follows.
(1) The first wave: the Client sends a FIN to disable data transmission from the Client to the Server. The Client enters the FIN_WAIT_1 state.
(2) Second Wave: After the Server receives the FIN, it sends an ACK to the Client and confirms that the serial number is the received serial number + 1 (same as SYN, one FIN occupies one serial number ), the Server enters the CLOSE_WAIT status.
(3) Third Wave: the Server sends a FIN to disable data transmission from the Server to the Client, and the Server enters the LAST_ACK status.
(4) fourth wave: after the Client receives the FIN, the Client enters the TIME_WAIT status, and then sends an ACK to the Server, confirming that the serial number is received + 1, and the Server enters the CLOSED status, complete four waves.
The above is the situation where one party closes the service proactively and the other party closes the service passively. The actual situation is that the service is automatically closed at the same time. The specific process is as follows:
Figure 4 simultaneous waving
The process and status are already in progress, so I will not repeat them here. You can refer to the previous four wave resolution steps.
Iv. Notes
There are usually typical interview questions about three-way handshakes and four-way handshakes. Here, we propose XDJM for reference:
(1) What is a three-way handshake or a process? What about four handshakes? The answer is described above.
(2) Why is the three-way handshake while the four-way handshake when the connection is closed?
This is because the server receives the SYN Packet of the established connection request in the LISTEN status, and then places ACK and SYN in a packet and sends it to the client. When the connection is closed, when receiving the FIN message from the other party, it only means that the other party no longer sends data but can still receive data, and not all of its data may be sent to the other party, therefore, you can immediately close the connection, send some data to the other party, and then send a FIN message to the other party to agree to close the connection. Therefore, both ACK and FIN are usually sent separately.