1) Preliminary knowledge:
1.1) Computer network architecture
In principle system network:
1) Physical layer: Solve the problem of which signal to use to transmit bits.
2) Data link layer: Solve the problem of packet transmission on a network (or a link at one end).
3) Network layer: Solve the problem of packet transmission (routing) on multiple networks.
4) Transport layer: solve the problem of network-based communication between processes.
5) Application layer: solve the problem of implementing specific network applications through the interaction of application processes.
1.2) Transport layer
The physical layer, data link layer, and network layer in the computer network architecture jointly realize the communication from the host to the host, but in fact the real entity that communicates in the computer network is the process located in the hosts at the two ends of the communication. The transport layer directly provides services for logical communication between application processes.
The transport layer shields high-level users from the details of the underlying network core, making it appear to application processes that there is an end-to-end logical communication channel between two transport layer entities.
According to different application requirements, the transport layer of the Internet provides two different transport protocols, namely connection-oriented TCP and connectionless UDP.
1.3)TPC/UDP
UDP (User Datagram Protocol) supports unicast, multicast and broadcast, provides connectionless and unreliable transmission services to the upper layer, and is suitable for real-time applications such as IP telephony and video conferencing.
TCP (Transmission Control Protocol) transmission control protocol, which only supports unicast, provides connection-oriented reliable transmission services to the upper layer, and is suitable for applications requiring reliable transmission, such as file transmission.
The well-known port number of the transport layer used by the common protocols of the application layer of the TCP/IP system.
2) TCP three-way handshake
2.1) Simple process:
1) The client sends a connection request datagram with the SYN flag to the server.
2) The server sends a connection request and response datagram with the SYN+ACK flag to the client.
3) The client sends a response datagram with the ACK flag to the server (can carry data)
2.2) Detailed process:
1) The service process listens to a certain port and is in the listen state.
2) The client process sends a TCP connection request segment to the service process, and enters the synchronous sent state. The synchronization bit SYN=1 in the header of the TCP connection request segment indicates that this is a TCP connection request segment; the sequence number field seq randomly sets an initial value x as the initial sequence number (client_isn); TCP stipulates that SYN=1 A segment cannot carry data, but consumes a sequence number.
3) After the service process receives the TCP connection request segment, if it agrees to establish a connection, it sends a TCP connection request confirmation segment to the TCP client process, and enters the synchronization accepted state. Set SYN=1, ACK=1 indicates that this is a SYN handshake and ACK confirmation response message; a random initial sequence number (server_isn) seq=y; ack=x+1 is the TCP connection request message segment sent by the client Confirmation of seq=x.
4) After receiving the TCP connection request confirmation message segment, the client process sends a normal TCP confirmation message segment to the TCP service process, and enters the connection established state. ACK=1 means that this is a response message; ack=y+1 is the confirmation of the seq=y message sent by the server. The initial sequence number of the TCP connection request message segment is seq=x, which consumes one sequence number, so this message seq=x+1. This message can carry data, if it does not carry data, the sequence number will not be consumed.
5) The service process also enters the connection established state after receiving the confirmation segment.
2.3) Why is the three-way handshake:
Main reason: prevent historical connections
In the case of network congestion, the SYN message of the first handshake of the client process has not reached the service process, and the client process has not received the SYN+AKC message of the service process, triggering a timeout retransmission, then the SYN sent later may occur The message arrives at the server earlier than the SYN message sent earlier, and the service process will send a SYN+ACK message to the client process at this time:
1) If it is a two-message connection, it is impossible to judge whether the current connection is a historical connection, resulting in errors and wasting resources. If the service process receives the SYN message sent earlier, the service process will directly enter the connection established state after sending the SYN+ACK message. At this time, the client process may have completed the last TCP connection and is in the closed state, and the two messages are also No ACK confirmation message will be sent, so that the service process is always in the connection established state, waiting for the client process to send data, thus wasting resources.
2) If it is a three-message connection, if the client process is still open, it can judge that this is a historical connection (serial number or timeout) according to its own context, and send an RST message to the service process to terminate this connection. If the client process is closed and the service process has not received the ACK message for a long time, the connection will be released.
3) Connection queue
The kernel maintains two queues for sockets in the listen state: an incomplete connection request queue (SYN_RECV state) and a queue waiting for accept to establish a socket (ESTABLISHED state).
The listen() function is declared as follows:
int listen(int socket, int backlog);The second parameter backlog refers to the length of the queue waiting for the completely established socket (ESTABLISHED state) of accept.
The length of the incomplete connection request queue is set in the following file (the default value is 128):
/proc/sys/net/ipv4/tcp_max_syn_backlog4) Supplement
4.1) SYN attack
A SYN attack is a type of DoS (Denial of Service Denial of Service) attack. By sending a large number of first handshake SYN packets with forged source IPs, the incomplete connection request queue is filled, resulting in the failure of normal connection requests.
Solution:
1) Limit the number of IP connections
2) Increase the queue capacity of the incompletely connected state: increase the memory resource usage, not recommended
3) Delayed allocation of connection resources. Traditionally, the corresponding resources are allocated for each connection in the incomplete connection queue, and the resource allocation can be delayed in the complete connection queue. SYN sends a large number of SYN requests, as long as the server does not allocate corresponding resources, it will not be seriously damaged.
4.2) Why is the initial serial number randomly generated
Ensure the security of network communication, otherwise hackers can easily obtain the initial serial number of communication between you and other hosts, so as to forge the serial number to attack.
4.3) Why does SYN consume a serial number without carrying data
Because the SYN segment needs to be confirmed by the other party, only a serial number can be used to ensure that the confirmation will not be ambiguous.
4.4) The significance of each handshake
The first handshake: the client has no information, the server confirms that the other party sent it normally, and it accepts it normally.
The second handshake: the client confirms that its sending and receiving are normal, and the other party's sending and receiving are normal.
The third handshake: the server confirms that the sending is normal, and the other party accepts it normally.
4.5) During the TCP connection process, the client goes down halfway, and after the client recovers, it sends a SYN packet to the server to re-establish the connection. What will the server do at this time?
The TCP connection is mainly determined by the client IP, server IP, and port number.
1) The ports are not the same. At this time, the task of the server is to establish a new connection, so a new connection is established through a three-way handshake. The old connection will trigger the TCP keep-alive mechanism. After detecting that the client is not alive, the server will release the old connection.
2) The ports are the same. TCP sends a SYN packet, and the server replies with an acknowledgment number and serial number carrying the last message. This ACK is called Challenge ACK. When the client receives the Challenge ACK, it finds that the serial number is not what it expects to receive, so it will Send the RST message, and the server will release the connection after receiving it.