当前位置：网站首页>A detailed summary of TCP connection triple handshake

A detailed summary of TCP connection triple handshake

2022-06-25 04:27:00 【Life is sweet and good luck is good】

Three handshakes ：

Client state at start ：CLOSED Server status at start ：LISTEN	The first handshake	The second handshake	The third handshake
From A to B	client → The server	The server → client	client → The server
state	client ： CLOSED → SYN_SENT	The server ： LISTEN→ SYN_RCVD	client ： SYN_SENT → ESTABLISHED Server received ACK After the message ： SYN_RCVD → ESTABLISHED
Message name	SYN Connection request message	SYN-ACK Connection confirmation message	ACK message
What （TCP Sign a ）	SYN = 1, ACK = 0 Initial serial number （ISN）：seq = x	SYN = 1,ACK = 1 Confirmation no. = Client initial serial number （ISN）+ 1： ack = x + 1 seq = y	ACK = 1 Confirmation no. = Server initial serial number （ISN）+ 1：ack = y + 1 seq = x + 1（ Client initial seq = x, Send a SYN A sequence number is consumed after the message , So this is the second message segment , The serial number is x + 1）
Consumption serial number ？	Consume 1 A serial number	Don't consume	If you carry data , Consumption . If you do not carry data, you will not consume .
What does it mean		It indicates that the server has received the from the client SYN	Indicates that the client has received the server's SYN.
Whether the message can carry data ？	You can't	You can't	can
Semi and full connection queues		The server receives the client's SYN-ACK After the connection confirmation message , The server is in SYN_RCVD state , The two sides have not yet fully established a connection , The server puts the connection requests in this state in the semi connection queue . If SYN The semi connection queue is full , Can only drop connections ？ It's not like that . Turn on syncookies The function can be used without using SYN In case of queue, the connection is successfully established .syncookies That's what it does ： The server calculates a value based on the current state , Put it on your own side SYN+ACK Send out in a message , When the client returns ACK When the message , Take out the value to verify , If the legitimate , Think the connection is successful .	The server receives a message from the client ACK After the confirmation , Complete three handshakes ,TCP Connection is established . The established connection is put in the full connection queue . When the full connection queue is full, packet loss may occur .
What if the handshake fails ？	The client sends SYN Opened three handshakes , After that, the status of the client connection is SYN_SENT, Then wait for the server to reply ACK message . Under normal circumstances , The server will return in a few milliseconds ACK, But if the client does not receive it for a long time ACK What will happen ？ The client will resend SYN, The number of retries is determined by tcp_syn_retries Parameter control , The default is 6 Time .		When the third handshake fails , The server does not retransmit ACK message , It's a direct delivery RST Message segment , Get into CLOSED state . The purpose of this is to prevent SYN Flooding attack .

Why do I need three handshakes ？（ What is the purpose of the three handshakes ？ Can you use two handshakes to achieve the same goal ？）

	The first handshake	The second handshake	The third handshake
The purpose of the three handshakes ：	1. Confirm whether the receiving capacity and sending capacity of both parties are normal 2. Specify initialization serial number , Prepare for reliable transmission in the future .
Operations performed	Client sends packets , The server receives a packet	Server , The client received the package	Client sends packets , The server receives a packet
who , What's the conclusion ？	Server knows , The sending capacity of the client and the receiving capacity of the server are normal .	The client knows , Receiving and sending of the client ok Receiving and sending of the server ok	Server knows , The receiving capacity and sending capacity of the client ok, The receiving and sending capacity of the server ok
Therefore, three handshakes are required to confirm whether the receiving and sending capabilities of both parties are normal .

Can I carry data during the three handshakes ？

Only the third handshake can carry data .

Why do things turn out like this? ？

If the first handshake can carry data , It will make the server more vulnerable to attack .

If the first handshake can carry data , If someone maliciously attacks the server , In the first handshake SYN Connection request message Put a lot of data in . Because the attacker does not care whether the sending and receiving capabilities of the server are normal , When the client madly repeats sending SYN Connection request message , It will make the server spend a lot of time and space to receive these messages .

The third handshake , The client is already in ESTABLISHED state . For the client , He has established a connection , And we already know the server's reception 、 The ability to send is normal , So there's nothing wrong with being able to carry data .

What is? SYN（ Sync serial number ：Synchronize Sequence Numbers） attack ？

SYN The attack is that the client forges a large number of nonexistent in a short time IP Address , And send it to the server continuously SYN Connection request message , Server reply confirmation package , And wait for the client to confirm . Because the source address does not exist , Therefore, the server must constantly resend SYN-ACK Connection confirmation message Until the timeout . These fake SYN The package will take up... For a long time Semi connected queues , Cause normal SYN The connection request message is discarded because the queue is full , Therefore, the network is congested and even the system is paralyzed .

How to detect SYN attack ？ Or say SYN What is the performance of the attack ？

When you see a large number of semi connected states on the server , And the source IP The address is random , Basically, it can be concluded that this is a SYN attack .