TCP state machine: the server unsolicited FIN into TIME_WAIT, the client source port complex what happens when

0X01

Under normal circumstances, the TCP connection will be waved through four demolition chain (RST is also possible by tearing down connections, see Why the sudden server replies safety equipment RST-- careful network ), TCP state machine The following figure shows the change in the state of TCP connections process:

We look at the focus of four passes waving:

1. A desired one removal connection transmits a FIN packet, FIN_WAIT_1 itself into a state;
   
2. Were removed connected party B receives the FIN packet, the ACK sent, into itself CLOSE_WAIT state;
3. A receives the ACK, enters FIN_WAIT_2 state;
4. B sends a FIN, the state itself enters LAST_ACK;
5. A received FIN, send ACK, enters the TIME_WAIT state itself;
6. B receives the ACK packet, the socket on the B closed, the release port;
7. A wait 2MSL socket closed, the release port.

From the above we can see the connection removal process: first party sends FIN packets will enter TIME_WAIT state; party enters the TIME_WAIT state to wait 2MSL time before the release of the port, in the 2MSL time, corresponding to the socket quad group (source and destination IP, source and destination port) in a frozen state.

The role of the TIME_WAIT state two main reasons:

1. Avoid the disconnected packet is lost in the link connecting the closing abnormality caused: In step 6, B does not receive the ACK packet is not received when think A FIN packet, retransmits the FIN further step 4, if the TIME_WAIT state when there is no, a-side socket has been closed, a responds to B RST for the FIN packet is sent, the connection may cause abnormal B.
   
2. Avoid scrambled incoming service packet initiator confusion newly generated socket connection: Suppose TCP packets since the intermediate network transmission causes before reaching After step 7 is complete, if no TIME_WAIT state and A and B before the disconnected and using the same 4-tuple created a new socket, then lost packets will enter into a new socket for processing, services may be an exception.

Can be very good to avoid the two problems mentioned above by TIME_WAIT state TIME_WAIT state aging time is 2MSL, MSL is the maximum segment lifetime, represents the maximum time a TCP segment that may exist on the network. Twice MSL design can satisfy the packets in a return to the time between A, B need to consume a maximum, to avoid the above two problems to the maximum extent. In CentOS system, MSL time is generally 30S.

0X02

The following figure shows a complete packet capture screenshots connection with dismantling and re-process the same port the new connection.

In FIG run the Web service server 192.168.221.1, listening port 82, client 192.168.252.2 using port 31,387 Server (capture start waving screenshot taken from the front). You can see the message at No. 3 after the removal of the active server connections, server and client interaction finish four complete wave packet, the client immediately monitor the same source port and server port to establish a new connection. The following by-packet analysis of the entire interaction:

1. server → client (PSH, ACK): push data server to the client last segment
   
2. client → server (ACK): the first client receives an acknowledgment message
   
3. server → client (FIN, ACK): Wave server sends messages to the client negotiate disconnected, this is the first wave of four. While the ACK flag is set, since the two packets data is no load, the value = 2nd ack packets seq. At this point the server enters state FIN_WAIT_1
   
4. client → server (ACK): docking client FIN packet received in response, which is the second step of the four wave. Wherein the constant value seq, ack = third packets seq + 1 (since the FIN packet representing a length in the logic). At this time the client enters CLOSE_WAIT state, the server receives ACK packet enters the state FIN_WAIT_2
   
5. client → server (FIN, ACK): the client sends a FIN packet to the server, which is the third step of the four wave. The same as the ack seq and fourth values ​​and messages. At this time to close the connection client enters LAST_ACK state, waiting for a server response ACK packet
   
6. server→client（ACK）：服务器收到客户端发送的FIN包后会立即给客户端发送ACK包，这是四次挥手的最后一步。其中seq=第3个报文中的seq+1，ack=第5个报文中的seq+1。客户端收到ACK后会立即close该四元组对应的socket，而此时服务器在发送ACK后会进入TIME_WAIT状态，服务器侧对应的TCP四元组会被冻结2MSL
   
7. client→server（SYN）：客户端连接拆除后立即使用同一个源端口31387向服务器的82端口发起新的SYN连接握手报文
   
8. server→client（ACK）：通过seq和ack可以看出服务器重传第6个报文。由于服务器对应的四元组仍然在TIME_WAIT状态中，因此对于接受到的报文会认为是迷路的数据包或者客户端没有收到服务器发送的最后一个挥手的ACK报文，所以服务器重新向客户端发送该ACK报文
   
9. client→server（RST）：客户端向服务器发送一个RST报文，其中seq为server挥手ack包（第6和第8个报文）的ack值。这是因为对服务器侧而言，对应的四元组仍然处于TIME_WAIT状态，而客户端侧并不存在这个四元组的socket信息，客户端正准备使用这个四元组新建连接。这是前文为什么服务器突然回复RST——小心网络中的安全设备中TCP发送RST的第三种情况：TCP接收到一个数据段，但是这个数据段所标识的连接不存在。于是客户端使用ACK报文中的ack值作为seq，发送RST报文给服务器

可以看到当客户端发送完RST后，客户端再次进行了SYN报文的重传，而此次即使仍然复用之前的四元组，客户端和服务器的TCP三次握手正常建立。这是因为当服务器收到RST报文后，无论处在TCP的哪个状态，都会立即进入close状态，进而服务器侧对应被TIME_WAIT状态冻结的四元组得以被释放，客户端侧的复用就成功了。

0X03

如上所述的业务场景是某应用系统使用反向代理地址连接后端服务器的抓包。服务器主动拆链+客户端立即复用源端口，这是一种危险的实现，如果客户端没有RST或者服务器端识别不了RST则很有可能在2MSL时间内，客户端使用被冻结的4元组进行连接建立的操作都会失败。对于服务器主动拆链的场景应该保证终端可用源端口尽可能的多，尽量避免立即端口复用的情况。此外对于服务器主动拆链的场景应该尽可能调短服务器的MSL时间，避免大量TIME_WAIT状态的连接存在影响服务器性能。