To begin with, it is worth explaining what TCP (Transmission Control Protocol) is – it is a protocol that controls the transmission of data. TCP is almost always used on top of IP to ensure reliable packet transmission, so this stack of protocols is often called TCP/IP. According to the OSI model, it operates at the 4th level, which is also called transport.
What Is a Three-Way TCP Handshake?
To establish a reliable connection, TCP uses a process called the “three-way handshake”. The established connection will be full-duplex, that is, both channels can transmit information simultaneously, and they also synchronize (SYN) and acknowledge (ACK) with each other. The exchange is performed as follows:
1) The client sends a segment with the SYN flag set. In this case, an arbitrary sequence number is assigned to the segment in the range from 1 to 232 (the so-called initial sequence number), relative to which the sequence of segments in the connection will be further counted.
2) The server receives the request and sends a response segment with the SYN+ACK flags set simultaneously, while writing the received sequence number increased by 1 in the “acknowledgment number” field (which confirms the receipt of the first segment), and also sets its own sequence number, which, as in the SYN segment, is selected arbitrarily.
3) After the client receives a segment with SYN+ACK flags, the connection is considered established, the client, in turn, sends in response a segment with the ACK flag, updated sequence numbers, and does not contain a payload.
4) Data transfer begins.
During the data transfer, the client and the server exchange segments with the ACK or PSH+ACK flags set, alternately confirming the number of packets received by increasing the sequence number and acknowledgment number.
Steps 1, 2 determine the connection parameter (serial number) for one direction and confirm it. Steps 2, 3 determine the connection parameter for the other direction and also confirm it. With their help, a full-duplex connection is established.
Interestingly, the initial SYN parameters are selected randomly when establishing connections between the client and the server.
In conclusion, it should be added that checking the sequence numbers of incoming packets and the principles used in a 3-way handshake allow you to implement the simplest methods of filtering DDoS attacks.