The TCP three-way handshake (connect)/four wave (closed)

TCP, relative to the SOCKET developers create process and link remove process consists of the TCP/IP protocol stack is automatically created. So the developer doesn't need to control this process. But to understand TCP the underlying mechanism is quite helpful.

 

And for a network protocol engineer such as written, is almost mandatory content. Enterprise enthusiasm high, on the problem to my surprise: -).Emphasized this question before the interview in the morning, sometimes speak and repeat once, almost every one in the afternoon was asked about the problem.

 

So here to explain it in detail the two processes.

 

The TCP three-way handshake

 

The so-called three-way Handshake (Three - way Handshake), refers to establish a TCP connection, the need to the client and the server a total of Three packages sent.

 

Three-way handshake aims to connect to the server specified port, to establish a TCP connection, and synchronous connection of both serial number and confirmation number and information exchange of the TCP window size. In socket programming, the client performs the connect ().Will trigger the three-way handshake.

 

 

 

 

• Shake hands for the first time:
  The client sends a TCP SYN mark position 1 bag indicate the customer intend to connect the server port, as well as the initial Sequence Number X, saved in baotou's serial Number (Sequence Number) in the field.

• The second handshake:
  The server send back confirmation package (ACK) response.The SYN flag bit and 1 at the same time, the ACK flag bit to confirm the serial Number (Acknowledgement Number) I S N + 1 is set to the customer to. Namely, X + 1.

• The third handshake.
  Client again send confirmation packet (ACK) SYN flag bit is 0, the ACK flag bit is 1. The multi-server and serial number fields + 1 ACK, found in certain fields to each other. And in the data segment, let write ISN + 1

The SYN attack

In three times handshake process, the server sends a SYN - after an ACK, before an ACK is received on the client side of a TCP connection is called half connection (half - open the connect). At this point the server at Syn_RECV state. When after an ACK is received, the server into the ESTABLISHED state.

Syn attack is against the client in a short period of time the IP address of the forged a lot does not exist, sends a Syn packet to the server constantly server reply to confirm the package, and wait for customers confirmation, because the source address is not exist, the server needs to continually resend straight to timeout, the forgery of the Syn packet will occupy not connected for a long time queue, normal Syn requests are discarded, the target system run slowly, serious cause network congestion and even system paralysis.

The Syn attack is a typical DDOS attack.Detect SYN attack is very convenient, when you see so many half connection state on the server, especially the source IP address is random, basically may conclude that this is a SYN attack. Under Linux can be tested to the following commands are SYN attack

netstat -n -p TCP | grep SYN_RECV

Generally, a new TCP/IP protocol stack are to modify the process to prevent the Syn attacks, modified TCP protocol implementation.Main methods are SynAttackProtect protection mechanism, SYN cookies technology, increased the most of the connection, and shorten the timeout time, etc.

But can not completely prevent the syn attacks.

TCP four wave

The removal of TCP connection needs to be sent four packages, and so called four wave (four - way handshake).Client or server can initiate to wave action, in socket programming, any one party performs the close () operation can produce wave operation.

 

 

 

See the wireshark caught, the measured wave caught the results did not strictly according to the sequence.I estimate is the time interval is too short.

 

 

 

 

 

 

1
, to set up the connection protocol (three-way handshake)


(1) the client sends a TCP packet with the SYN mark to the server.This is in the process of three-way handshake packet 1.


(2) the response to the client on the server, this is the second of three times handshake packet, the packet with the SYN and ACK flags logo at the same time.It said to the client of the SYN packet just response;Mark the SYN again at the same time to the client, ask the client if ready for data communications.


(3) the customer must respond again service period of an ACK message, this is a message section 3.


2
Wave, connection termination agreement (four times)


Since TCP connection is full-duplex, so every direction must be independently closed.This principle is when one party after done with its data can be sent to end the direction of a FIN.Receive a FIN only means no data on this direction flow, a TCP connection after receiving a FIN can send data.First close party will perform the initiative, while the other performs passive closure.


(1) the TCP client sends a FIN, used to close the client to the server data transfer (packet 4).


(2) the server receives the FIN, it sends back an ACK, confirm the serial number to receive the serial number + 1 (paragraph 5) message.Like the SYN, a FIN will take up a serial number.


(3) the server is shut down the client connection, sending a FIN to the client (section 6) message.


(4) the customer sends back an ACK message confirmation, and will confirm the serial number is set to receive the serial number + 1 (paragraph 7) message.


CLOSED: this have nothing to say, according to its original state.


LISTEN: this state is also very easy to understand a, said a SOCKET in a listening state on the server that can accept connections.


SYN_RCVD: this status indicates that have received a SYN packet, in normal circumstances, the state is a TCP connection to the server SOCKET in the handshake session three times in the process of an intermediate state, very short, basically use netstat to you is difficult to see this status, unless you deliberately wrote a client test program, deliberately TCP handshake process three times in the final ACK packet will not be sent.So this kind of state, when client after an ACK packet is received, it will enter the ESTABLISHED state.


SYN_SENT: this state and SYN_RCVD imagine echo, when the client SOCKET when performing the CONNECT link it first sends a SYN packet, so then it will be into the state SYN_SENT, and wait for the server send the second message in the three-way handshake.State SYN_SENT said the client sent the SYN packet.


ESTABLISHED: that's easy to understand, said the connection has been ESTABLISHED.


FIN_WAIT_1: this state to explain well, in fact FIN_WAIT_1 and FIN_WAIT_2 state true meaning is waiting for the other side of the FIN packet.And this is the difference between two states: FIN_WAIT_1 state is, in fact, when the SOCKET in the ESTABLISHED state, it want to voluntarily close connection, the send the FIN a message to the other party, the SOCKET that is into FIN_WAIT_1 state at this time.And when a response after an ACK packet, then enter the FIN_WAIT_2 state, of course in the actual under normal circumstances, no matter what kind of situation, each other should be immediately respond to an ACK packet, so FIN_WAIT_1 state is usually difficult to see, and FIN_WAIT_2 state and can often use netstat to see.


FIN_WAIT_2: it has been explained in detail in this state, in fact FIN_WAIT_2 state of the SOCKET, said half connection, which is a request for the close connection, but also tell each other, I still have some data need to be sent to you, later again close the connection.


TIME_WAIT: said received the other side of the FIN packet, and send the ACK packet, just after 2 MSL available can be returned to the CLOSED state.If FIN_WAIT_1, received each other at the same time with FIN marks and ACK packet, can directly into the TIME_WAIT state, without having to pass FIN_WAIT_2 state.


CLOSING: this state is more special, in the actual situation should be very rare, belongs to a state of relatively rare exception.Under normal circumstances, when you send a FIN packet, it is morally should first receive an ACK packet (or received) at the same time each other, from the other side of the FIN message again.But after CLOSING state said you send FIN packet, and did not get the other side of the ACK packet, it has also received the FIN message each other.What circumstances appear this kind of situation?Actually consider, also it is not difficult to conclude that it is almost at the same time if the two sides to close a SOCKET, then appeared on both sides at the same time send FIN packet, that there will be a CLOSING state, said the two sides are about to close the SOCKET connection.


CLOSE_WAIT: the meaning of this state is actually said waiting for closure.How to understand?When close a SOCKET send FIN after message to yourself, your system will no doubt in response to an ACK message to each other, at this time, enter the CLOSE_WAIT state.Next, in fact, you really need to consider the thing is to see whether you have the data sent to the other party, if not, then you can close the SOCKET send FIN message to each other, which is close the connection.In CLOSE_WAIT state, so you need to do is waiting for you to close the connection.


LAST_ACK: this state is relatively easy to understand, it is a passive closing side FIN message after it was sent, wait for the final ACK packet.When receipt of ACK packet, which can enter to the CLOSED state is available.


The last two questions, I analysis after the conclusion (100% correct) doesn't necessarily guarantee


1, why to establish the connection protocol is three times handshake, shake hands and closing connections is four times?


This is because the server SOCKET under the LISTEN state when the SYN packet is received even after the request of building, it can put the SYN and ACK (ACK response function, and plays a role of synchronous SYN) in a message to send.But when closing a connection, when I received the other side of the FIN message notification, it just means no data is sent to you the other;All but not necessarily all of your data is sent to each other, so you can not necessarily immediately close the SOCKET, or you may also need to send some data to each other, after send the FIN message to each other to indicate you agree to can close the connection now, so it is the ACK packet and FIN packet in most cases are sent separately.


2, why the TIME_WAIT state still need to wait for 2 to return to the CLOSED state after MSL?


This is because, although both sides have agreed to close the connection, and shook hands with coordination and send 4 packets are finished, arguably can direct return to the CLOSED state (like from SYN_SEND state to ESTABLISH state);But because we have to be supposed the network is not reliable, you can't guarantee that you will finally send an ACK packet must be received, so the other SOCKET LAST_ACK conditions may because timeout ACK message is not received, and retransmission FIN packet, so the TIME_WAIT state function is used to resend may missing ACK message.