To begin with, it is worth explaining what TCP (Transmission Control Protocol) is - it is a protocol that controls the transmission of data. TCP is almost always used on top of IP to ensure reliable packet transmission, so this stack of protocols is often called TCP/IP. According to the OSI model, it operates at the 4th level, which is also called transport.
To establish a reliable connection, TCP uses a process called the “three-way handshake”. The established connection will be full-duplex, that is, both channels can transmit information simultaneously, and they also synchronize (SYN) and acknowledge (ACK) with each other. The exchange is performed as follows:
During the data transfer, the client and the server exchange segments with the ACK or PSH+ASK flags set, alternately confirming the number of packets received by increasing the sequence number and acknowledgment number.
Steps 1, 2 determine the connection parameter (serial number) for one direction and confirm it. Steps 2, 3 determine the connection parameter for the other direction and also confirm it. With their help, a full-duplex connection is established.
Interestingly, the initial SYN parameters are selected randomly when establishing connections between the client and the server.
In conclusion, it should be added that checking the sequence numbers of incoming packets and the principles used in a 3-way handshake allow you to implement the simplest methods of filtering DDoS attacks.