TCP connection handshake

The handshaking mechanism used in TCP is designed so that two hosts, attempting to communicate, can negotiate the parameters of the network connection before beginning the communication. Both sides can assume that the other computer is ready and start to reliably send data.

Here is a simplified diagram of the packets being sent on both sides during the handshake:

        SYN     ->
                    SYN received
Host A          <-       SYN ACK    Host B
        SYN ACK received
        ACK     ->           
                    ACK received

      TCP connection is established

SYN (synchronize) and ACK (acknowledge) messages are specified by a bit/number inside the TCP header of the segment.

The process is also designed so that both ends can initiate and negotiate separate connections at the same time.

In order to end a connection between two computers, another 3-way communication is performed to tear down the TCP connection. The initiation and teardown of a TCP connection is part of what makes TCP a reliable protocol.

See also: What is the difference between UDP and TCP?


So that both ends can be fairly confident that the other end knows that the connection is established.

EDIT: Two way is not enough, as the recipient cannot know that the sender knows that the recipient has responded, and the connection is ready to go and this make it (2-way handshake connection) unreliable in comparison to 3-way handshake


Realize that it is really a 4-way handshake (two in each direction). There is a SYN -> ACK and and a SYN <- ACK. Host-B just saves time by sending his SYN at the same time he ACK's Host-A.

Also, Dentrasi had a comment that the 3-way handshake prevents spoofing but this is not entirely true.

See more information at the nmap site: http://nmap.org/book/osdetect-usage.html

"TCP Sequence Prediction Systems with poor TCP initial sequence number generation are vulnerable to blind TCP spoofing attacks. In other words, you can make a full connection to those systems and send (but not receive) data while spoofing a different IP address. The target's logs will show the spoofed IP, and you can take advantage of any trust relationship between them. This attack was all the rage in the mid-nineties when people commonly used rlogin to allow logins to their account without any password from trusted IP addresses. Kevin Mitnick is alleged to have used this attack to break into Tsutomu Shimomura's computers in December 1994."

Additional information on TCP sequence prediction attacks here: http://en.wikipedia.org/wiki/TCP_sequence_prediction_attack


Non-tech explanation-- 3 way handshake is required for a full duplex conversation/connection. A Connection means agreement between two parties. Agreement means, when X send then Y receive and when Y send X receive. Each of this single sided agreement requires two steps each, ask for permission (SYN) and to know other will listen/receive/take (ACK) what you send. So two SYN-ACK steps.

It essentially is a 4-Way Handshake, the step-2 (sending ACK to X by Y) and step-3 (sending SYN to X by Y) are merged (step-3 piggy-backed on step-2), in the end resulting in one step. This is possible since both are send at the same time from Y (same host), and the information is carried in a bit in TCP header (no over-size issues). Thus in total 3-steps from 4-steps.

tech-explanation -- TCP is a stateful protocol, the way its state machine operates and changes its states is symmetric at both the ends. The established state is reached, when you receive the ACK from the other machine. For the both the entities to reach the connection established state, the states machines has to receive an ACK. So ACK receiving is important, and to receive an ACK a host has to send a SYN. Well again 4-step process merged into 3-steps, see quoted explanation.

Rest are details -- like picking a random SYN value, so that predictions attacks can be prevented. As far as an attack is concerned, Man-in-the-middle is imminent. ps put a comment if anyone wants to know how. I think most of you would know how, its very obvious, so i saving you reading time.