# TCP Handshake ## What is the TCP Handshake The TCP handshake is the process used to establish a TCP connection between two hosts before data transfer begins. TCP uses a three-step process called the three-way handshake to create a connection. This handshake allows both hosts to synchronize their sequence numbers, agree on connection parameters, and confirm that both are ready to communicate. Every TCP connection begins with this handshake, and no data is transferred until it is complete. ## Three-Way Handshake Steps In the first step, the client sends a TCP segment with the SYN flag set to the server. SYN stands for synchronize. This segment contains the client's initial sequence number, which is a randomly chosen number that serves as the starting point for all data sent by the client in this connection. The client also includes a window size indicating how much data it can receive. The client transitions to the SYN_SENT state. In the second step, the server receives the SYN segment and responds with a segment that has both the SYN and ACK flags set. The SYN flag indicates the server's own initial sequence number, which is also randomly chosen. The ACK flag acknowledges the client's SYN by setting the acknowledgment number to the client's initial sequence number plus 1. The server transitions to the SYN_RECEIVED state. In the third step, the client receives the SYN-ACK from the server and sends a final ACK segment. The acknowledgment number is set to the server's initial sequence number plus 1. The client transitions to the ESTABLISHED state. When the server receives this ACK, it also transitions to the ESTABLISHED state. The connection is now established and data transfer can begin. ## Why Three Steps Two steps would not be sufficient because the client would have no confirmation that the server's initial sequence number was received. The three-way handshake ensures both sides have confirmed reception of each other's initial sequence numbers, which is necessary for the reliable sequencing of data. ## Connection Termination TCP uses a four-way process to terminate connections. Either side can initiate termination. The initiating side sends a FIN segment. The other side acknowledges with an ACK. The other side then sends its own FIN when it has finished sending data. The initiating side acknowledges with a final ACK. After sending the final ACK, the initiating side enters the TIME_WAIT state, where it waits for twice the maximum segment lifetime to ensure any delayed packets from the closed connection are discarded before resources are released. ## SYN Flood Attack A SYN flood is a denial of service attack that exploits the three-way handshake. The attacker sends many SYN segments with spoofed source IP addresses. The server responds with SYN-ACK segments and waits for the final ACK, consuming server resources for each half-open connection. Because the source addresses are spoofed, no final ACK arrives. The server's connection table fills up with half-open connections, preventing legitimate connections from being established. SYN cookies is a defense mechanism that avoids storing connection state until the three-way handshake is complete.