In contrast to SOCKET developers, the TCP creation process and link disassembly process are automatically created by the TCP/IP stack. So developers don’t need to control the process. However, it is very helpful to understand the underlying mechanism of TCP. And for the network protocol engineers such as written tests, is almost required to test the content. I was surprised at how enthusiastic companies are about this issue: -) so here’s a detailed explanation of both processes.
1. TCP packet format
For details on the TCP/IP protocol, see the THREE-volume TCP/IP Protocol In Detail. The following is the TCP packet format diagram:
Note that:
(A) Do not confuse the confirmation Ack with the Ack in the flag bit. (B) Confirmer Ack= Initiator Req+1, and both ends are paired.
2. TCP three-way handshake
Three-way Handshake is when a TCP connection is established with a total of Three packets sent by the client and server. The purpose of the three-way handshake is to connect to the specified port of the server, establish a TCP connection, synchronize the serial number and acknowledgement number of the two parties to the connection, and exchange TCP window size information. In socket programming, when a client executes connect(). Three handshakes are triggered
The first handshake:
The client sends a TCP PACKET with the SYN flag at position 1, indicating the server port to which the client intends to connect, and the initial Sequence Number X, which is stored in the Sequence Number field of the packet header.
Second handshake:
The server sends an ACK packet in response. The SYN flag bit and ACK flag bit are both 1. In addition, set the Acknowledgement Number to the customer’s I, S, and N plus 1. X + 1.
The third handshake.
The SYN flag bit is 0 and the ACK flag bit is 1. Add +1 to the serial number field of ACK sent by the server, and put it in the determined field and send it to the other party. And write +1 to the ISN in the data segment
The SYN attack
During the three-way handshake, the TCP connection after the server sends a SYN-ACK and before it receives an ACK from the client is called a half-open Connect. The server is in the Syn_RECV state. After receiving an ACK, the server enters the ESTABLISHED state. The Syn attack is to attack the client Forge a lot in a short time there is no IP address, sends a syn packet to the server constantly responded server packages, and wait for the customer to confirm, because the source address is not exist, the server needs to continually resend straight to the timeout, the forgery of the syn packet will occupy not connected queue for a long time, Normal SYN requests are discarded, the target system runs slowly, or even the system breaks down. A Syn attack is a typical DDOS attack. Detecting A SYN attack is very convenient. When you see a large number of half-connections on a server, especially if the source IP address is random, you can basically tell that this is a SYN attack. Under Linux can detect whether be Syn attack the following command netstat – n – p TCP | grep SYN_RECV general relatively new TCP/IP protocol stack to modify the process to prevent the Syn attacks, modified TCP protocol implementation. The main methods include SynAttackProtect protection mechanism, SYN cookies technology, increase the maximum connection and shorten the timeout time, etc. However, it cannot fully defend against SYN attacks.
3. TCP waves four times
Breaking a TCP connection requires sending four packets, so it’s called a four-way handshake. The client or server can initiate the waving action. In socket programming, either side can perform close() to generate the waving action.
Why is it that it takes three handshakes to establish a connection and four waves to close it?
This is because the SERVER in the LISTEN state receives the SYN request and sends the ACK and SYN packets to the client in one packet. And close the connection, when I received the other side of the FIN message just said to each other can no longer send data but also receives the data, the board may not all data are sent to each other, so their can immediately close, also can send some data to each other, then send the FIN message now agreed to close the connection to the other side, therefore, Your ACK and FIN are usually sent separately.