1. TCP

1.1 concept

  • Connection-oriented, reliable byte stream – based transport protocol.
  • The data at the application layer is divided into packet segments and sent to the TCP layer of the target node
  • Each packet has a corresponding serial number. After receiving it, the other party sends an ACK for confirmation. If it does not receive it, it retransmits it
  • Use checksums to detect errors during transmission

1.2 TCP Header

1.3 Description of the FIELDS in the TCP Header

1. Source Port and Destination Port:

IP addresses are used to distinguish different hosts. If the source port number and destination port number are combined with the source IP address and destination IP address in the IP header, a TCP connection can be uniquely determined.

2. Sequence Number:

It is used to identify the byte stream sent from the TCP source to the TCP receiver. It represents the serial number of the first byte in the packet segment in the data stream. It is used to solve the problem of packet disorder.

3. Acknowledgment Number:

The 32-bit acknowledgement sequence number contains the next sequence number that the sender expects to receive, so the sequence number should be the byte number plus 1 of the last data successfully received. However, this confirmation sequence number segment is valid only if the ACK flag in the flag bit (described below) is 1. Mainly used to solve the problem of packet loss.

4. Offset:

Gives the number of 32-bit words in the head. this value is needed because the length of the optional fields is variable. This field takes up to 4 bits, so TCP has a maximum of 60 bytes of header. However, there are no optional fields and the normal length is 20 bytes.

5. TCP Flags:

There are six flag bits in the TCP header, many of which can be set to 1 at the same time. They are mainly used to control the TCP state machine: URG, ACK, PSH, RST, SYN, and FIN. Each flag bit has the following meaning:

  • URG: This flag indicates that the TCP packet’s emergency pointer field (more on that later) is valid, and is used to ensure that the TCP connection is not interrupted and to urge the mid-tier device to process the data as quickly as possible.

  • ACK Indicates that the reply field is valid, that is, the TCP reply number will be included in the TCP packet. There are two values: 0 and 1. If the value is 1, the response field is valid; otherwise, it is 0.

  • PSH: This flag bit represents the Push operation. A Push operation is when a packet arrives at the receiving end and is immediately sent to the application rather than queued in a buffer.

  • RST: This flag indicates a connection reset request. It is used to reset connections that generated errors, and it is also used to reject faulty and invalid packets.

  • SYN: indicates the synchronization sequence number, which is used to establish a connection. The SYN flag bit and ACK flag bit are used together. When a connection request is made, SYN=1 and ACK=0. When the connection is answered, SYN=1, ACK=1; Packets with this flag are often used for port scanning. The scanner sends a packet containing only SYN. If the host responds with a packet, it indicates that the host has this port. However, this scanning method is only the first handshake of the TCP three-way handshake. Therefore, the success of this scanning method indicates that the scanned machine is not very secure. A secure host will force a connection to strictly perform the TCP three-way handshake.

  • FIN: Indicates that the sender reaches the end of data transmission, that is, data transmission is complete and no data can be transmitted. After the TCP packet with the FIN flag bit is sent, the connection is disconnected. Packets with this flag are also often used for port scanning.

6. Window:

Sliding window size (flow control).

7. Checksum:

Parity check. The checksum is calculated in 16-bit characters for the entire TCP packet segment, including the TCP header and TCP data. It is calculated and stored by the sender and verified by the receiver.

8. Emergency indicators:

The emergency pointer is valid only when the URG flag is set to 1. The emergency pointer is a positive offset that is added to the value in the ordinal field to indicate the ordinal number of the last byte of the emergency data. TCP emergency mode is a way for the sender to send emergency data to the other end.

9. Options and Padding:

The most common optional field is the Maximum Segment Size (MSS). Each connection usually specifies this option in the first Segment of the communication (the Segment where the SYN flag is set to 1 to establish the connection). It indicates the Maximum length of the Segment that the local end can accept. The option length does not have to be a multiple of 32 bits, so padding bits are added, that is, adding an extra zero to the field to ensure that the TCP header is a multiple of 32.

10. Data:

The data part of the TCP packet segment is optional. When a connection is established and when a connection is terminated, only the TCP header is exchanged. If one party has no data to send, the header without any data is also used to acknowledge the received data. In many cases of processing timeouts, a segment of the message without any data is also sent.

2. Three handshakes

2.1 the reason

Why you need three handshakes:

  • IP is a connectionless communication protocol located in the network layer. IP protocol is only responsible for sending IP packets to the destination, but does not ensure that the destination is sent. Therefore, the connected mode is adopted in the transport layer to ensure the data delivery.

2.2 concept

The three-way handshake means that the client and server send three packets to confirm the establishment of a TCP connection. In socket programming, this process is triggered by the client executing connect.

2.3 Flow chart of three handshakes

2.4 Explanation of flow chart

  • First handshake: The client sets the SYN flag bit to 1, randomly generates a value seq=J, and sends the packet to the server. The client enters the SYN_SENT state and waits for the confirmation from the server.
  • Second handshake: When the server receives the packet, the flag bit SYN=1 knows that the client requests to establish a connection. The server sets the flag bit SYN and ACK to 1, ACK =J+1, randomly generates a value seq=K, and sends the packet to the client to confirm the connection request. The server enters the SYN_RCVD state.
  • Third handshake: After receiving the confirmation, the client checks whether the ACK is J+1 and ACK is 1. If yes, the client sets the flag ACK bit to 1, ACK =K+1, and sends the packet to the server. The server checks whether the ACK is K+1 and ACK is 1. The client and server enter the ESTABLISHED state and complete the three-way handshake. Data can then be transferred between the client and server.

2.5 Security Risks

2.5.1 Initial Handshake — SYN times out

After the Server receives the SYN from the Client, it does not receive an ACK reply. As a result, the Server tries again and again until times out.

2.5.2 SYN Flood Attacks

In a short period of time, malicious programs repeatedly send requests to the server to establish connections, but do not respond to the requests. As a result, the server continuously resends requests, occupying resources and crashing.

2.5.3 Handling SYN Flood Attacks
  • When the SYN queue is full, SYN cookies are sent back using the tcp_syncookies parameter
  • If the connection is normal, the Client sends a SYN Cookie to establish a connection

2.6 The Client Fails After a Connection is Established

2.6.1 Survival mechanism

Sends probe packets to the Client. If no response is received, the Client continues to send probe packets until the response is received or the number of probe keepalive reaches the threshold.

3. Wave four times

3.1 the reason

A TCP connection is full-duplex. Therefore, each direction must be closed separately. After completing the data transmission task, one party sends a FIN to terminate the connection in this direction. However, data can still be sent on this TCP connection until a FIN is also sent in that direction.

3.2 concept

To terminate a TCP connection, the client and server need to send a total of four packets to confirm the disconnection. In socket programming, this process is triggered by either the client or the server executing a close.

3.3 Flowchart of four waves

3.4 Why Does the Client Need to Time-wait after sending the last ACK Packet

  • Ensure that there is sufficient time for the ACK packet to be received
  • Avoid confusion between old and new connections

3.5 Causes of A Large number of Close-Wait State On the Server

The client closed the socket connection, but the server was busy with read or write. Procedure

  • Check the code, especially the resource release code
  • Check the configuration, especially the thread configuration for handling requests

4. TCP sliding window

4.0 Must know must know

RTT

The time between sending a packet and receiving the corresponding ACK

RTO

Retransmission interval (calculated by RTT)

4.1 Functions of sliding Windows

TCP uses sliding Windows for flow control and out-of-order reordering