What is TCP and how TCP works?

What is the TCP protocol？

TCP is been used for communication among devices on the network. It stands for Transmission Control Protocol. It is used to create a connection between the client and the server. It works by breaking the data into small packets which can be transferred through network activity.

The connection control of TCP includes three handshakes and four waves.

The segment is a navigation routing function for the entire TCP/IP protocol. The packet segment refers to the IP data packets in the TCP/IP protocol network transmission, which use route navigation, query each network route segment, IP address, exchange protocol, and so on.

• SYN：Synchronize sequence numbers
• ACK：Acknowledgment field significant
• Seq：Sequence number
• Ack：Acknowledgment number

Three way handshakes process

Handshake

One of the essential features of TCP is connection-oriented. Therefore, before sending data, both parties must go through a handshake to ensure that the entire data transmission is error-free before the two parties can successfully establish the connection.

The first handshake

The client sends segment 1 to the server, where the SYN flag indicates that this is a segment for requesting a connection. In addition, its Sequence Number field (abbreviated as seq in the figure) is set to initial sequence number x (Initial Sequence Number, ISN), and both parties in the TCP connection can randomly select the initial sequence number.

After sending segment 1, the client enters the SYN-SENT state and waits for confirmation from the server.

The second handshake

After receiving the connection request from the client, the server sends segment 2 to the client as a response.

The ACK flag is set to 1, indicating that it responds to the client, and its acknowledgment number field (Acknowledgment Number, abbreviated as lowercase ack) will take effect.

The value of this field is x + 1, which is the sequence number of the segment received from the client plus one, which represents the sequence number of the data the server expects to receive from the client next time.

In addition, the SYN flag of segment 2 is also set to 1, which means that this is also a segment used to initiate a connection, and the sequence number seq is set to the server's initial sequence number y.

After sending segment 2, the server enters the SYN-RECEIVED state.

The third handshake

After receiving segment 2, the client sends segment 3 to the server, and its ACK flag is 1, which means it responds to the server, confirming that the sequence number field ack is y + 1, and the sequence number field seq is x + 1. After this segment sent, both parties enter the ESTABLISHED state, indicating that the connection has been established.

Judging the connection status by the display status of the client and server.

• The client and the server belong to the closed state, indicating no connection relationship.
• The client sends a request, the client opens the sending (SYN-sent) state, and the server opens the listening (Listen) state;
• When the server receives the client's request, the server switches to the reply (SYN-recvd) state;
• When the client receives the response from the server, the client switches to the stable connection (Estab-lished) state and sends the second data packet simultaneously.
• When the server receives the second data from the client, the server switches to a stable connection (Estab-lished) state.
• After the two parties establish a stable connection, it's time to begin regular data communication.

How do the three handshakes work?

The three-way handshake allows both parties to confirm that the sending and receiving capabilities of themselves and the other party as process:

The first handshake: the client sends the request segment, and nothing can be confirmed, while the server can ensure that its receiving ability and the other party's transmitting ability are standard.

The second handshake: The client can confirm that its sending and receiving capabilities are standard, and the other party's sending and receiving capabilities are standard.

The third handshake: the server can confirm that its sending and receiving capabilities are standard, and the other party's sending and receiving capabilities are standard.

The three-way handshake can allow both parties to confirm that the sending and receiving capabilities of themselves and the other party are all standards so they can communicate.

How do the four waves work?

Establishing a connection requires three handshakes, and terminating a connection requires four waves.

The detailed process of waving four times

1. The client sends a connection closing segment, requesting to close the connection and stop sending data. Next, the sequence number field seq = x (equal to the sequence number of the last byte of all previously sent data plus one), then the client will enter the FIN-WAIT-1 state, waiting for an acknowledgment message from the server.

2. The server receives the FIN segment, it sends back a confirmation message, ACK = 1, ack = x + 1, and brings its sequence number seq = y, then the server enters the CLOSE-WAIT state.

3. The client enters the FIN-WAIT-2 state immediately after receiving the ACK segment from the server and can still receive data seq=z from the server until the FIN segment is received.

4. Then the server has sent all the data, it will send a FIN segment to the client, and then the server will enter the LAST-ACK state, waiting for an acknowledgment segment from the client.

5. After the client receives the FIN segment from the server, it sends an ACK message to the server and then enters the TIME-WAIT state.

6. The server will enter the CLOSED state immediately after receiving the ACK message from the client and will terminate the connection at this time. In general, the server enters the CLOSED state earlier than the client cause there is no waiting time.

In short, whether it is a 3-way handshake or a 4-way wave, TCP protocol needs to obtain information confirmation from both parties to establish the connection or disconnection.

Why does TCP close the connection four times instead of three?

After receiving the FIN packet segment from the client, the server may still have some data to transmit. Therefore, the server cannot close the connection immediately. Instead, it will respond with an ACK packet segment and may continue to send data.

The client does not respond until the server sends a FIN packet segment to the client, indicating that all data is sent. The server requests to close the connection. Therefore, a total of four waves are required.

What security issues occur during the TCP connection?

In the three-way handshake process, after the server sends SYN-ACK, the TCP connection before receiving the ACK from the client is called a half-open connection. At this time, the server is in the SYN_RCVD state. When an ACK is received, the server can move to the ESTABLISHED state.

SYN attack means that the attacking client forges a large number of non-existing IP addresses in a short period, continuously sends SYN packets to the server, and the server replies with the confirmation packet, and waits for the confirmation of the client.

Since the source address does not exist, the server needs to retransmit continuously until it times out. As a result, these forged SYN packets will occupy the unconnected queue for a long time, and regular SYN requests will be discarded.

In severe cases, it will cause network congestion or even system crashes. An SYN attack is a typical DoS/DDoS attack. Click to learn more about DoS/DDoS attacks.