Three-way handshake

TCP provides connection-oriented communication transport. Connection-oriented refers to the preparation work between the two ends before the data communication starts. That is, before either side sends data to the other, a connection must be established between the two sides.

The three-way handshake means that the client and server send three packets to confirm the establishment of a TCP connection.

Purpose of handshake

The purpose of the three handshakes

  • Synchronize the Sequence numbers and confirmation numbers of the two connected parties

    • ISN (Initial Sequence Number)

  • Exchange TCP window size information

    • Such as MSS, window scaling factor, selective validation, specified checksum algorithm

In Socket programming, this process is triggered by the client executing connect.

  1. First handshake: Establish a connection. The client sends a connection request packet segment, sets the SYN flag bit to 1, randomly generates a Sequence Number with a Sequence Number of X (a Sequence Number of 32 bits is dynamically selected by the operating system), and sends the packet to the server. The client enters the SYN_SENT state. Wait for confirmation from the server.

  2. Second handshake: The server receives a SYN packet segment. Context After receiving the packet, the server needs to acknowledge the SYN packet segment with the flag bit, and set the Acknowledgment Number to X+1 (Sequence Number+1). Set the SYN to 1 and Sequence Number to Y (a 32-bit Sequence Number dynamically selected by the operating system). The server puts all the above information into a packet segment (namely, the SYN+ACK packet segment) and sends it to the client to confirm the connection request. The server enters the SYN_RCVD state.

  3. Third handshake: The client receives a SYN+ACK packet from the server. Should this be acknowledged, set the Acknowledgment Number to Y+1 and send an ACK segment to the server. When this segment is sent, the client and server enter the ESTABLISHED state, completing the three-way handshake, and then data transmission can begin between the client and server.

The packet transmitted during the handshake does not contain data. The client and server start data transmission only after three handshakes are completed. Ideally, once a TCP connection is established, it is maintained until either of the communicating parties voluntarily closes the connection.

Handshake message

The SYN packet

The SYN/ACK packet

ACK packet

Other problems

Disconnected queue

In the three-way handshake protocol, the server maintains a disconnected queue that opens an entry for each client’s SYN packet (SYN =j), which indicates that the server has received the SYN packet, has sent an acknowledgement to the client, and is waiting for the client’s acknowledgement packet. The connection identified by these entries is in the SYN_RECV state on the server. When the server receives a confirmation packet from the client, the entry is deleted and the server enters the ESTABLISHED state.

Why is a three-way handshake required to establish a TCP connection?

The main purpose is to prevent the server from opening useless connections.Copy the code

Because we know that the network is a time delay, because the terminal’s very far distance, between the packets are transmitted through optical fiber and various intermediate proxy servers, but in the process of server and client, usually because of the instability of the network transmission reason lost packets, the client has not received the service side return packets, The client may set a timeout to close the connection creation and then initiate a new request. If there is no third handshake, the service side is did not know whether the client receives the service side to return to his data, the client don’t have a confirmed to close or to create this request, server port has been open, waiting for the client sends the actual request data, then this overhead is to waste, The server does not know that the connection failed. The client may have already created another connection.

Therefore, we need three handshakes to confirm this process, so that the server and client can timely detect the problem of network connection closure caused by network reasons, so as to avoid the server overhead caused by delay in network transmission.

Can the first of three handshakes carry data?

No, because the three-way handshake isn't done yet.Copy the code

Can the third handshake send data? Why?

You can. The host that can send the third handshake packet must receive the second handshake packet from the server. The host with forged IP address does not receive the second packet.Copy the code

Couldn’t the other party cache the data and submit it to the application after the handshake?

SYN FLOOD attacks are amplified. If an attacker forges thousands of handshake messages, carrying 1K+ bytes of data, and the receiver will open up a large cache to accommodate these huge data, the memory will easily run out and the service will be denied.Copy the code

Four times to wave

To terminate a TCP connection, the client and server need to send a total of four packets to confirm the disconnection. In Socket programming, this process is triggered by either the client or the server executing a close.

A TCP connection is full-duplex. Therefore, each direction must be closed separately. After completing the data transmission task, one party sends a FIN to terminate the connection in this direction. However, data can still be sent on this TCP connection until a FIN is also sent in that direction. The party that closes first performs an active shutdown, while the other party performs a passive shutdown.

Four wave flow chart

  1. First wave: The client sets the Sequence Number and sends a FIN packet to disable data transmission from the client to the server. The client enters the FIN_WAIT_1 state. This means “I have no data to send to you from the client”, but if you have data to send from the server, there is no need to close the connection and continue to send data.

  2. Second wave: The server receives the FIN packet segment, replies to the ACK packet segment, Acknowledgment Number = Sequence Number + 1, and tells the client that I have received your request and I agree to close it. At this point the client enters the FIN_WAIT_2 state.

  3. Third wave: When the server confirms that the data has been sent, it sends a FIN packet to the client to tell the client that the data has been sent and that it is ready to close the connection. The server enters the LAST_ACK state.

  4. Fourth wave: After receiving the FIN packet, the client knows that the connection can be closed. However, the client still does not trust the network. For fear that the server does not know that the connection is closed, the client sends an ACK packet to the server and then enters the TIME_WAIT state. When the server receives an ACK, it knows it is ready to disconnect. If the client waits 2MSL (usually two minutes) and still does not receive a response, the server is shut down and the client can close the connection. Four handshakes were completed.

MSL (Maximum Segment Lifetime) Indicates the Maximum Segment Lifetime of packets. Time-wait state is maintained for 2MSL to ensure that the port is unavailable for at least one round trip packet.

  • The first wave is when the server confirms that the client needs to disconnect

  • The second wave is when the client confirms that the server has received the disconnect request

  • The third wave is when the client confirms that the server has finished sending data and disconnects

  • The fourth wave is when the server confirms that the client is disconnected and disconnects

Therefore, if the server sends all the data, there is no third wave, and directly enters the fourth wave.

Why does it take four waves to disconnect a TCP connection?

TCP connection adopts full-duplex communication mode, so each direction must be closed separately. In this principle, when one party completes its data transmission task, it can send a FIN to terminate the connection in this direction. Receiving a FIN only means that there is no data flow in that direction, and a TCP connection can still send data after receiving a FIN. The party that closes first performs an active shutdown and the other party performs a passive shutdown.

Why do TCP-based applications often have an application-layer heartbeat detection mechanism?

After TCP establishes the link, only maintains the TCP information in the two ends of the kernel, actually does not have a physical connection path, the peer end of this time hangs, who also does not know.

TCP state machine

  • 11 kinds of state

    • CLOSED

    • LISTEN

    • SYN-SENT

    • RECEIVED

    • ESTABLISHED

    • CLOSE-WAIT

    • LAST-ACK

    • FIN-WAIT1

    • FIN-WAIT2

    • CLOSING

    • TIME-WAIT

  • Three types of events

    • SYN

    • FIN

    • ACK

keep-alive

TCP keep-alive function

Linux TCP Keep Alive

  • Send heartbeat cycle

    • Linux: net.ipv4.tcp_keepalive_time = 7200

  • Probe packet sending interval

    • net.ipv4.tcp_keepalive_intvl = 75

  • Number of probe packet retries

    • net.ipv4.tcp_keepalive_probes = 9

SYN FLOOD attack

Attack principle:

The attacker forges SYN packets with different IP addresses for a short period of time, quickly fills the backlog queue, and the server cannot serve normal users.Copy the code

  • net.core.netdev_max_backlog

    • The queue length of packets received from the nic but not processed by the kernel protocol stack

  • net.ipv4.tcp_max_syn_backlog

    • SYN_RCVD Maximum number of state connections

  • net.ipv4.tcp_abort_on_overflow

    • When the processing capacity exceeds, the SYN packet is returned to RST and the connection is discarded

udp

User Datagram Protocol (UDP), also known as the User Data Packet Protocol, is a simple Datagram oriented transport layer Protocol formally specified as RFC 768.

In the TCP/IP model, UDP provides a simple interface above the network layer and below the application layer. UDP provides only unreliable delivery of data and does not retain a backup of data once it has sent the data sent by the application to the network layer (hence UDP is sometimes referred to as an unreliable datagram protocol). UDP adds only reuse and validation to the header of an IP datagram.Copy the code

The characteristics of

  • UDP eliminates connection establishment (reduces latency)

  • UDP is best delivered, that is, reliable delivery is not guaranteed, so hosts do not need to maintain complex link states

  • The header of UDP has a small overhead of only 8 bytes, which is shorter than TCP’s 20 bytes header

  • UDP does not have congestion control, so congestion on the network does not reduce the sending rate of the source host (useful for real-time applications, such as live broadcasting and real-time video conferencing).

  • UDP supports one-to-one, one-to-many, many-to-one, and many-to-many interactive communication

practice

Udp-based protocols include:

  • Domain Name System (DNS)

  • Simple Network Management Protocol (SNMP)

  • Dynamic Host Configuration Protocol (DHCP)

  • Routing Information Protocol (RIP)

  • Bootstrap Protocol (BOOTP)

  • Simple File Transfer Protocol (TFTP)

Data communication form

  • Simplex data transmission supports data transmission in only one direction

  • Half duplex data transmission allows data to be transmitted in both directions, but, at one time, allows data to be transmitted in only one direction. It is actually a kind of directional switching simplex communication

  • Full-duplex data communication allows data to be transmitted in two directions at the same time. Therefore, full-duplex communication is the combination of two simplex communication modes, which requires both the sending device and the receiving device to have independent receiving and sending capabilities

TCP and udp

agreement connectivity Duplex sex reliability Has xu sex boundedness Congestion control Transmission speed Order of magnitude Head size
TCP connection-oriented Full duplex (1:1) Reliable (retransmission mechanism) Ordered (by SYN sort) No, there is bag contamination There are slow low 20 ~ 60 bytes
UDP There is no connection n:m Unreliability (Data loss after packet loss) A disorderly There are message boundaries, no dip packets There is no fast high 8 bytes