Why Does TCP Need a Three‑Way Handshake and a Four‑Way Teardown? Explained

What is the OSI model?

The Open Systems Interconnection (OSI) reference model, defined by ISO/IEC 7498‑1, is a conceptual framework that standardizes the functions of a telecommunication or computing system into seven distinct layers.

Layer 7 – Application Layer Main function: provides interfaces for application software to use network services. Typical devices: gateways. Typical protocols, standards and applications: HTTP (80), FTP (20/21), SMTP (25), POP3 (110), Telnet (23), DNS (53).

Layer 6 – Presentation Layer Main function: data encoding/decoding, encryption/decryption, compression/decompression. Typical devices: gateways. Typical protocols, standards and applications: ASCII, PICT, TIFF, JPEG, MIDI, MPEG.

Layer 5 – Session Layer Main function: establishes, maintains, and manages sessions between applications. Typical devices: gateways. Typical protocols, standards and applications: RPC, SQL, NFS, X WINDOWS, ASP.

Layer 4 – Transport Layer Main function: provides end‑to‑end communication, ensuring reliable data transfer. Typical devices: gateways. Typical protocols, standards and applications: TCP, UDP, SPX.

Layer 3 – Network Layer Main function: routes and addresses packets from source to destination. Typical devices: routers. Typical protocols, standards and applications: IP, IPX, APPLETALK, ICMP.

Layer 2 – Data Link Layer Main function: provides reliable data transfer over an unreliable physical link. Typical devices: switches, bridges, network cards. Typical protocols, standards and applications: 802.2, 802.3, ATM, HDLC, FRAME RELAY.

Layer 1 – Physical Layer Main function: transmits raw bit streams over a physical medium. Typical devices: hubs, repeaters. Typical protocols, standards and applications: V.35, EIA/TIA‑232.

TCP/IP Protocol Suite

The Internet Protocol Suite, commonly called TCP/IP, is the set of communication protocols that form the foundation of the Internet. It includes core protocols such as TCP (Transmission Control Protocol) and IP (Internet Protocol) and is organized into a four‑layer stack that roughly corresponds to a simplified OSI model. TCP/IP provides a point‑to‑point connection mechanism, standardizing how data is encapsulated, addressed, transmitted, routed, and received. The suite originated from the U.S. Department of Defense’s ARPA network project and is maintained by the IETF.

TCP three‑way handshake

First handshake: Client sets SYN=1, chooses an initial sequence number (e.g., SEQ=100), sends the segment to the server, and enters SYN_SENT state awaiting acknowledgment.

Second handshake: Server receives the SYN, replies with SYN=1 and ACK=100+1, chooses its own sequence number (e.g., SEQ=130), and enters SYN_RCVD state.

Third handshake: Client acknowledges with ACK=130+1, server verifies the ACK, both sides enter ESTABLISHED state and data transfer can begin.

A complete three‑way handshake is essentially “request – response – final acknowledgment.”

TCP four‑way termination

First termination: Client sends FIN to close its direction of data flow and enters FIN_WAIT_1.

Second termination: Server acknowledges with ACK=100+1 (FIN consumes one sequence number) and enters CLOSE_WAIT.

Third termination: Server sends its own FIN and enters LAST_ACK.

Fourth termination: Client receives FIN, sends ACK=131+1, enters TIME_WAIT, and after waiting 2 MSL moves to CLOSED.

Q&A

Why is establishing a connection a three‑way handshake while closing it requires four steps?

During connection establishment the server can combine SYN and ACK in a single segment, but during termination each side must independently signal that it has finished sending data, so FIN and ACK are sent separately.

Why does the three‑way handshake prevent stale connection requests?

It ensures that both parties have exchanged sequence numbers and acknowledgments, discarding delayed or duplicated SYN packets that could otherwise create bogus connections and waste resources.

What is a SYN attack?

In a SYN flood, an attacker sends a large number of SYN packets with forged source addresses. The server allocates resources for each half‑open connection (SYN‑RECV) and waits for the final ACK, which never arrives, exhausting the connection queue and causing a denial‑of‑service.

Why must a connection stay in TIME_WAIT for 2 MSL before closing?

The TIME_WAIT period allows any stray ACKs to be retransmitted in case the final ACK was lost, ensuring the network is clear before the socket is fully closed.

During the three‑way handshake, the server’s TCP connection is considered a half‑open (half‑connect) until it receives the client’s ACK after sending SYN‑ACK.

发送 SYN-ACK 之后，收到客户端的 ACK 之前