Why Does TCP Need a Three‑Way Handshake and a Four‑Way Teardown? Explained with Linux Tweaks

Understanding TCP requires knowing the three‑way handshake that establishes a connection and the four‑step termination that safely closes it. The handshake involves a SYN from the client, a SYN‑ACK from the server, and an ACK from the client, after which data can be exchanged.

During termination, either side can initiate the close by sending a FIN. The peer acknowledges with an ACK, enters FIN_WAIT states, and eventually sends its own FIN. The initiator then acknowledges and may enter TIME_WAIT for 2 MSL (Maximum Segment Lifetime) to ensure all stray packets are discarded.

TIME_WAIT Accumulation Problem

On busy web servers, a large number of sockets remain in TIME_WAIT, which can exhaust the available port range (65 535 ports) and degrade performance. An example netstat snapshot shows a high TIME_WAIT count:

# netstat -an | awk '/^tcp/ {++State[$NF]}END{for(key in State)print key "\t" State[key]}'
LAST_ACK	7
LISTEN	9
SYN_RECV	2
CLOSE_WAIT	125
ESTABLISHED	1070
FIN_WAIT1	17
FIN_WAIT2	247
CLOSING	4
TIME_WAIT	25087

Linux Kernel Tweaks to Reduce TIME_WAIT

Several sysctl parameters can be adjusted to mitigate the issue:

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65000

Parameter explanations: net.ipv4.tcp_syncookies = 1: Enables SYN cookies to protect against SYN‑flood attacks. net.ipv4.tcp_tw_reuse = 1: Allows reuse of TIME_WAIT sockets for new connections when safe. net.ipv4.tcp_tw_recycle = 1: Enables fast recycling of TIME_WAIT sockets (should be disabled in NAT environments). net.ipv4.tcp_max_tw_buckets = 5000: Caps the number of simultaneous TIME_WAIT sockets; excess sockets are dropped. net.ipv4.tcp_max_syn_backlog = 8192: Increases the SYN queue size to handle more pending connections. net.ipv4.tcp_keepalive_time = 1200: Reduces the keepalive interval from the default 2 hours to 20 minutes. net.ipv4.ip_local_port_range = 1024 65000: Expands the usable outbound port range.

After applying these settings, a new netstat check typically shows a much lower TIME_WAIT count:

# netstat -an | awk '/^tcp/ {++State[$NF]}END{for(key in State)print key "\t" State[key]}'
LAST_ACK	140
LISTEN	9
SYN_RECV	7
CLOSE_WAIT	2
ESTABLISHED	972
FIN_WAIT1	21
FIN_WAIT2	152
CLOSING	2
TIME_WAIT	682

By understanding the TCP lifecycle and tuning the kernel parameters, administrators can significantly reduce socket exhaustion and improve server responsiveness.