1. TCP handshake protocol
In the TCP/IP protocol , the TCP protocol provides reliable connection services, and uses a three-way handshake to establish a connection.
The first handshake: When the connection is established, the client sends a syn packet (syn=j) to the server, and Enter the SYN_SEND state and wait for the server to confirm;
SYN: Synchronize Sequence Numbers
The second handshake: the server receives the syn packet and must confirm the client's SYN (ack=j+1), and also sends a SYN packet ( syn=k), that is, SYN+ACK packet, the server enters the SYN_RECV state at this time;
the third handshake: the client receives the SYN+ACK packet from the server, and sends an acknowledgment packet ACK to the server (ack=k+1), this packet is sent. , the client and server enter the ESTABLISHED state and complete the three-way handshake.
After completing the three-way handshake, the client and the server begin to transmit data
When A and B establish a TCP connection: first A sends a SYN (synchronization request) to B, and then B replies with a SYN
+ACK (synchronous request response), and finally A replies with an ACK confirmation, so that the process of a TCP connection (three-way handshake) is established!
TCP packet format
For details of the TCP/IP protocol, please refer to the three volumes of "Detailed Explanation of the TCP/IP Protocol". The following is a diagram of the TCP packet format:
Figure 1 TCP packet format
(1) Sequence number: Seq sequence number, occupying 32 bits, used to identify the byte stream sent from the TCP source to the destination, which is marked when the initiator sends data.
(2) Confirmation sequence number: Ack sequence number, occupying 32 bits, only when the ACK flag bit is 1, the confirmation sequence number field is valid, Ack=Seq+1.
(3) Flag bits: a total of 6, namely URG, ACK, PSH, RST, SYN, FIN, etc., the specific meanings are as follows:
(A) URG: Urgent pointer is valid.
(B) ACK: Confirm that the serial number is valid.
(C) PSH: The receiver should deliver this message to the application layer as soon as possible.
(D) RST: Reset the connection.
(E)SYN: Initiate a new connection.
(F) FIN: Release a connection.
It should be noted that:
(A) Do not confuse the acknowledgment sequence number Ack with the ACK in the flag bit.
(B) Confirmer Ack=Initiator Req+1, both ends are paired.
Two, three-way handshake The
so-called three-way handshake (Three-Way Handshake) is to establish a TCP connection, which means that when establishing a TCP connection, the client and the server need to send a total of 3 packets to confirm the establishment of the connection. In socket programming, this process is triggered by the client executing connect. The whole process is shown in the following figure:
Figure 2 TCP three-way handshake
(2)第二次握手:Server收到数据包后由标志位SYN=1知道Client请求建立连接,Server将标志位SYN和ACK都置为1,ack=J+1,随机产生一个值seq=K,并将该数据包发送给Client以确认连接请求,Server进入SYN_RCVD状态。
(3)第三次握手:Client收到确认后,检查ack是否为J+1,ACK是否为1,如果正确则将标志位ACK置为1,ack=K+1,并将该数据包发送给Server,Server检查ack是否为K+1,ACK是否为1,如果正确则连接建立成功,Client和Server进入ESTABLISHED状态,完成三次握手,随后Client与Server之间可以开始传输数据了。
SYN攻击:
在三次握手过程中,Server发送SYN-ACK之后,收到Client的ACK之前的TCP连接称为半连接(half-open connect),此时Server处于SYN_RCVD状态,当收到ACK后,Server转入ESTABLISHED状态。SYN攻击就是Client在短时间内伪造大量不存在的IP地址,并向Server不断地发送SYN包,Server回复确认包,并等待Client的确认,由于源地址是不存在的,因此,Server需要不断重发直至超时,这些伪造的SYN包将产时间占用未连接队列,导致正常的SYN请求因为队列满而被丢弃,从而引起网络堵塞甚至系统瘫痪。SYN攻击时一种典型的DDOS攻击,检测SYN攻击的方式非常简单,即当Server上有大量半连接状态且源IP地址是随机的,则可以断定遭到SYN攻击了,使用如下命令可以让之现行:
#netstat -nap | grep SYN_RECV
三、四次挥手
三次握手耳熟能详,四次挥手估计就
,
所谓四次挥手(Four-Way Wavehand
)即终止TCP连接,就是指断开一个TCP连接时,需要客户端和服务端总共发送4个包以确认连接的断开。
在socket编程中,
这一过程
由客户端或服务端任一方执行close来触发,整个流程如下图所示:
图3 TCP四次挥手
(1)第一次挥手:Client发送一个FIN,用来关闭Client到Server的数据传送,Client进入FIN_WAIT_1状态 。
(2)第二次挥手:Server收到FIN后 ,发送一个ACK给Client,确认序号为收到序号+1(与SYN相同,一个FIN占用一个序号),Server进入CLOSE_WAIT状态 。
(3)第三次挥手:Server发送一个FIN,用来关闭Server到Client的数据传送,Server进入LAST_ACK状态。
(4)第四次挥手:Client收到FIN后,Client进入TIME_WAIT状态,接着发送一个ACK给Server,确认序号为收到序号+1 , Server进入CLOSED状态, 完成四次挥手。
上面是一方主动关闭,另一方被动关闭的情况,实际中还会出现同时发起主动关闭的情况,具体流程如下图:
图4 同时挥手
The process and status are very clear in the above figure, so I won't repeat them here. You can refer to the previous four wave analysis steps.
4. Remarks
There are usually typical interview questions about the three-way handshake and the four-way wave. Here are some XDJMs who need it for reference:
(1) What is the three-way handshake or process? What about the four-way handshake? The answer is the previous analysis.
(2) Why is it a three-way handshake to establish a connection, but a four-way wave to close the connection?
This is because the server in the LISTEN state, after receiving the SYN message for the connection establishment request, sends the ACK and SYN in one message to the client. When closing the connection, when receiving the FIN message from the other party, it only means that the other party no longer sends data but can still receive data, and not all data is sent to the other party, so the party can immediately close or send some data. After the data is sent to the other party, the FIN message is sent to the other party to express the agreement to close the connection now. Therefore, the own ACK and FIN are generally sent separately.
4. Remarks
There are usually typical interview questions about the three-way handshake and the four-way wave. Here are some XDJMs who need it for reference:
(1) What is the three-way handshake or process? What about the four-way handshake? The answer is the previous analysis.
(2) Why is it a three-way handshake to establish a connection, but a four-way wave to close the connection?
This is because the server in the LISTEN state, after receiving the SYN message for the connection establishment request, sends the ACK and SYN in one message to the client. When closing the connection, when receiving the FIN message from the other party, it only means that the other party no longer sends data but can still receive data, and not all data is sent to the other party, so the party can immediately close or send some data. After the data is sent to the other party, the FIN message is sent to the other party to express the agreement to close the connection now. Therefore, the own ACK and FIN are generally sent separately.