The TCP three-way handshake (connect)/four wave (closed)
TCP, relative to the SOCKET developers create process and link remove process consists of the TCP/IP protocol stack is automatically created. So the developer doesn't need to control this process. But to understand TCP the underlying mechanism is quite helpful.
- Shake hands for the first time:
The client sends a TCP SYN mark position 1 bag indicate the customer intend to connect the server port, as well as the initial Sequence Number X, saved in baotou's serial Number (Sequence Number) in the field.
- The second handshake:
The server send back confirmation package (ACK) response.The SYN flag bit and 1 at the same time, the ACK flag bit to confirm the serial Number (Acknowledgement Number) I S N + 1 is set to the customer to. Namely, X + 1.
- The third handshake.
Client again send confirmation packet (ACK) SYN flag bit is 0, the ACK flag bit is 1. The multi-server and serial number fields + 1 ACK, found in certain fields to each other. And in the data segment, let write ISN + 1
The SYN attack
In three times handshake process, the server sends a SYN - after an ACK, before an ACK is received on the client side of a TCP connection is called half connection (half - open the connect). At this point the server at Syn_RECV state. When after an ACK is received, the server into the ESTABLISHED state.
Syn attack is against the client in a short period of time the IP address of the forged a lot does not exist, sends a Syn packet to the server constantly server reply to confirm the package, and wait for customers confirmation, because the source address is not exist, the server needs to continually resend straight to timeout, the forgery of the Syn packet will occupy not connected for a long time queue, normal Syn requests are discarded, the target system run slowly, serious cause network congestion and even system paralysis.
The Syn attack is a typical DDOS attack.Detect SYN attack is very convenient, when you see so many half connection state on the server, especially the source IP address is random, basically may conclude that this is a SYN attack. Under Linux can be tested to the following commands are SYN attack
netstat -n -p TCP | grep SYN_RECV
Generally, a new TCP/IP protocol stack are to modify the process to prevent the Syn attacks, modified TCP protocol implementation.Main methods are SynAttackProtect protection mechanism, SYN cookies technology, increased the most of the connection, and shorten the timeout time, etc.
But can not completely prevent the syn attacks.
TCP four wave
The removal of TCP connection needs to be sent four packages, and so called four wave (four - way handshake).Client or server can initiate to wave action, in socket programming, any one party performs the close () operation can produce wave operation.
See the wireshark caught, the measured wave caught the results did not strictly according to the sequence.I estimate is the time interval is too short.
1
, to set up the connection protocol (three-way handshake)
(1) the client sends a TCP packet with the SYN mark to the server.This is in the process of three-way handshake packet 1.
(2) the response to the client on the server, this is the second of three times handshake packet, the packet with the SYN and ACK flags logo at the same time.It said to the client of the SYN packet just response;Mark the SYN again at the same time to the client, ask the client if ready for data communications.
(3) the customer must respond again service period of an ACK message, this is a message section 3.
2
Wave, connection termination agreement (four times)
Since TCP connection is full-duplex, so every direction must be independently closed.This principle is when one party after done with its data can be sent to end the direction of a FIN.Receive a FIN only means no data on this direction flow, a TCP connection after receiving a FIN can send data.First close party will perform the initiative, while the other performs passive closure.
(1) the TCP client sends a FIN, used to close the client to the server data transfer (packet 4).
(2) the server receives the FIN, it sends back an ACK, confirm the serial number to receive the serial number + 1 (paragraph 5) message.Like the SYN, a FIN will take up a serial number.
(3) the server is shut down the client connection, sending a FIN to the client (section 6) message.
(4) the customer sends back an ACK message confirmation, and will confirm the serial number is set to receive the serial number + 1 (paragraph 7) message.
CLOSED: this have nothing to say, according to its original state.
LISTEN: this state is also very easy to understand a, said a SOCKET in a listening state on the server that can accept connections.
SYN_RCVD: this status indicates that have received a SYN packet, in normal circumstances, the state is a TCP connection to the server SOCKET in the handshake session three times in the process of an intermediate state, very short, basically use netstat to you is difficult to see this status, unless you deliberately wrote a client test program, deliberately TCP handshake process three times in the final ACK packet will not be sent.So this kind of state, when client after an ACK packet is received, it will enter the ESTABLISHED state.
SYN_SENT: this state and SYN_RCVD imagine echo, when the client SOCKET when performing the CONNECT link it first sends a SYN packet, so then it will be into the state SYN_SENT, and wait for the server send the second message in the three-way handshake.State SYN_SENT said the client sent the SYN packet.
ESTABLISHED: that's easy to understand, said the connection has been ESTABLISHED.
FIN_WAIT_1: this state to explain well, in fact FIN_WAIT_1 and FIN_WAIT_2 state true meaning is waiting for the other side of the FIN packet.And this is the difference between two states: FIN_WAIT_1 state is, in fact, when the SOCKET in the ESTABLISHED state, it want to voluntarily close connection, the send the FIN a message to the other party, the SOCKET that is into FIN_WAIT_1 state at this time.And when a response after an ACK packet, then enter the FIN_WAIT_2 state, of course in the actual under normal circumstances, no matter what kind of situation, each other should be immediately respond to an ACK packet, so FIN_WAIT_1 state is usually difficult to see, and FIN_WAIT_2 state and can often use netstat to see.
FIN_WAIT_2: it has been explained in detail in this state, in fact FIN_WAIT_2 state of the SOCKET, said half connection, which is a request for the close connection, but also tell each other, I still have some data need to be sent to you, later again close the connection.
TIME_WAIT: said received the other side of the FIN packet, and send the ACK packet, just after 2 MSL available can be returned to the CLOSED state.If FIN_WAIT_1, received each other at the same time with FIN marks and ACK packet, can directly into the TIME_WAIT state, without having to pass FIN_WAIT_2 state.
CLOSING: this state is more special, in the actual situation should be very rare, belongs to a state of relatively rare exception.Under normal circumstances, when you send a FIN packet, it is morally should first receive an ACK packet (or received) at the same time each other, from the other side of the FIN message again.But after CLOSING state said you send FIN packet, and did not get the other side of the ACK packet, it has also received the FIN message each other.What circumstances appear this kind of situation?Actually consider, also it is not difficult to conclude that it is almost at the same time if the two sides to close a SOCKET, then appeared on both sides at the same time send FIN packet, that there will be a CLOSING state, said the two sides are about to close the SOCKET connection.
CLOSE_WAIT: the meaning of this state is actually said waiting for closure.How to understand?When close a SOCKET send FIN after message to yourself, your system will no doubt in response to an ACK message to each other, at this time, enter the CLOSE_WAIT state.Next, in fact, you really need to consider the thing is to see whether you have the data sent to the other party, if not, then you can close the SOCKET send FIN message to each other, which is close the connection.In CLOSE_WAIT state, so you need to do is waiting for you to close the connection.
LAST_ACK: this state is relatively easy to understand, it is a passive closing side FIN message after it was sent, wait for the final ACK packet.When receipt of ACK packet, which can enter to the CLOSED state is available.
The last two questions, I analysis after the conclusion (100% correct) doesn't necessarily guarantee
1, why to establish the connection protocol is three times handshake, shake hands and closing connections is four times?
This is because the server SOCKET under the LISTEN state when the SYN packet is received even after the request of building, it can put the SYN and ACK (ACK response function, and plays a role of synchronous SYN) in a message to send.But when closing a connection, when I received the other side of the FIN message notification, it just means no data is sent to you the other;All but not necessarily all of your data is sent to each other, so you can not necessarily immediately close the SOCKET, or you may also need to send some data to each other, after send the FIN message to each other to indicate you agree to can close the connection now, so it is the ACK packet and FIN packet in most cases are sent separately.
2, why the TIME_WAIT state still need to wait for 2 to return to the CLOSED state after MSL?
This is because, although both sides have agreed to close the connection, and shook hands with coordination and send 4 packets are finished, arguably can direct return to the CLOSED state (like from SYN_SEND state to ESTABLISH state);But because we have to be supposed the network is not reliable, you can't guarantee that you will finally send an ACK packet must be received, so the other SOCKET LAST_ACK conditions may because timeout ACK message is not received, and retransmission FIN packet, so the TIME_WAIT state function is used to resend may missing ACK message.
The TCP three-way handshake (connect)/four wave (closed)的更多相关文章
- 【Linux网络编程】TCP网络编程中connect()、listen()和accept()三者之间的关系
[Linux网络编程]TCP网络编程中connect().listen()和accept()三者之间的关系 基于 TCP 的网络编程开发分为服务器端和客户端两部分,常见的核心步骤和流程如下: conn ...
- 从Linux源码看Socket(TCP)Client端的Connect
从Linux源码看Socket(TCP)Client端的Connect 前言 笔者一直觉得如果能知道从应用到框架再到操作系统的每一处代码,是一件Exciting的事情. 今天笔者就来从Linux源码的 ...
- Charles 抓包 Client SSL handshake failed - Remote host closed connection during handshake
Charles 抓包 https 报错: Client SSL handshake failed - Remote host closed connection during handshake # ...
- 【Linux 网络编程】TCP网络编程中connect()、listen()和accept()三者之间的关系
基于 TCP 的网络编程开发分为服务器端和客户端两部分,常见的核心步骤和流程如下: connect()函数:对于客户端的 connect() 函数,该函数的功能为客户端主动连接服务器,建立连接是通过三 ...
- TCP之非阻塞connect和accept
套接字的默认状态是阻塞的,这就意味着当发出一个不能立即完成的套接字调用时,其进程将被投入睡眠,等待响应操作完成,可能阻塞的套接字调用可分为以下四类: (1) 输入操作,包括read,readv,rec ...
- UNIX网络编程卷1 时间获取程序client TCP 使用非堵塞connect
本文为senlie原创,转载请保留此地址:http://blog.csdn.net/zhengsenlie 1.当在一个非堵塞的 TCP 套接字(可使用 fcntl 把套接字变成非堵塞的)上调用 co ...
- TCP之connect
1. connect函数: #include <sys/socket.h> int connect(int sockfd, const struct sockaddr *servaddr, ...
- TCP 状态机
TCP 状态机 TCP 协议的操作可以使用一个具有 11 种状态的有限状态机( Finite State Machine )来表示,图 3-12 描述了 TCP 的有限状态机,图中的圆角矩形表示状态, ...
- TCP Connection Establishment and Termination
Three-Way Handshake The following scenario occurs when a TCP connection is established: The server m ...
随机推荐
- sjtu1585 oil
Description Crystal家的公司最近承包了一个大油田.整块油田为一个矩形区域,被划分为\(n \times m\)个小块. Crystal亲自调查了每个小块的石油储备量.这些数据表示为\ ...
- java对xml文件做增删改查
http://www.cnblogs.com/wangchenyang/archive/2011/08/23/2150530.html http://www.blogjava.net/weishuan ...
- android 案例:从另一个activity选择信息并获取返回值
主窗口: package com.example.test; import android.app.Activity; import android.app.AlertDialog; import a ...
- javaweb学习总结(三十三)——使用JDBC对数据库进行CRUD
一.statement对象介绍 Jdbc中的statement对象用于向数据库发送SQL语句,想完成对数据库的增删改查,只需要通过这个对象向数据库发送增删改查语句即可. Statement对象的exe ...
- SQLite入门与分析(九)---VACUUM命令分析
VACUUM命令是SQLite的一个扩展功能,模仿PostgreSQL中的相同命令而来.若调用VACUUM带一个表名或索引名, 则将整理该表或索引.在SQLite 1.0中,VACUUM命令调用 gd ...
- Axure RP Pro 6.5修改站点地图,只显示需要的节点
1. 原始页面 2. 原始代码(用记事本打开生成原型所在文件夹下的data\sitemap.js) var sitemap = (function() { var _ = function() { ...
- NuGet -- 如何创建及发布自己的程序包
STEP 1:在NuGet上注册并获取API Key 首先,你需要在NuGet(https://www.nuget.org/)上注册一个新的账号,然后在My Account页面,获取一个API ...
- sharepoint 2010 隐藏左边菜单left menu样式脚本
转:http://www.cfanz.cn/?c=article&a=read&id=60536 在v4.master中,<head></head>标签中,加入 ...
- Apache虚拟主机(vhost)配置教程
使用apache来配置虚拟主机,在单一系统上运行多个网站. 现在很多linux主机使用apache作为web服务器的,大部分是基于这个原理来配置虚拟主机的. 下面就windows下以apache 2. ...
- 从零开始学习jQuery (八) 插播:jQuery实施方案
一.摘要 本系列文章将带您进入jQuery的精彩世界, 其中有很多作者具体的使用经验和解决方案, 即使你会使用jQuery也能在阅读中发现些许秘籍. 本篇文章属于临时插播, 用于介绍我在本公司的j ...