Why TCP Needs Three Handshakes and Four Teardowns: A Beginner’s Guide

TCP Three-Way Handshake and Four-Way Teardown (Beginner’s Guide)

1. Prerequisite Knowledge

TCP protocol characteristics: connection‑oriented, reliable transmission, full‑duplex communication, flow control (sliding window), and congestion control (slow start).

2. Key Terminology

SYN : Synchronize flag, used to establish a connection.

ACK : Acknowledgment flag, used to confirm receipt of data.

FIN : Finish flag, used to release a connection.

SEQ : Sequence number (32‑bit random), ensures ordered data.

ACK number : Expected next sequence number (SEQ+1).

State code : e.g., SYN_SENT, ESTABLISHED, describing TCP connection state.

3. Three‑Way Handshake Deep Dive (Connection Establishment)

Scenario: like a phone call.

Client sends SYN (SYN=1, SEQ=X) → state SYN_SENT.

Server replies SYN+ACK (SYN=1, ACK=1, SEQ=Y, ACK=X+1) → state SYN_RCVD.

Client sends ACK (ACK=1, SEQ=X+1, ACK=Y+1) → both enter ESTABLISHED.

Why three handshakes?

Prevent old connections (SYN‑flood protection).

Synchronize initial sequence numbers.

Avoid resource waste (half‑open connections).

4. Four‑Way Teardown Deep Dive (Connection Release)

Scenario: ending a phone call.

FIN from active closer (FIN=1, SEQ=U) → FIN_WAIT_1.

ACK from passive side (ACK=1, ACK=U+1) → CLOSE_WAIT.

Passive side sends FIN (FIN=1, SEQ=V) → LAST_ACK.

Active side ACKs (ACK=1, ACK=V+1) → TIME_WAIT (2 MSL).

Why four teardowns?

Half‑close property: each direction must close independently.

Separate FIN and ACK to avoid state confusion.

Ensure reliable termination; TIME_WAIT handles delayed packets.

5. TIME_WAIT Details

Duration: 2 × MSL (Maximum Segment Lifetime), typically 120 seconds on Linux.

Purpose: guarantee the final ACK reaches the peer and allow old duplicate segments to expire.

6. Abnormal Situations

Handshake packet loss → retransmission (controlled by /proc/sys/net/ipv4/tcp_syn_retries).

Lost FIN → retransmit until ACK received or timeout.

Server crash → client receives RST on further data.

Network interruption → TCP Keepalive detection.

7. Common Interview Questions

Q1: How does a SYN flood attack work?

Attacker sends massive forged SYN packets, exhausting the server’s half‑connection queue and preventing legitimate connections.

Q2: Why can’t we close a TCP connection with three teardowns?

TCP is full‑duplex; both directions must be closed, requiring four steps.

Q3: How to handle excessive CLOSE_WAIT states?

Usually caused by applications not calling close(); fix the code to properly close sockets.

Q4: How to optimize TIME_WAIT?

Adjust kernel parameter net.ipv4.tcp_tw_reuse.

Use the SO_REUSEADDR socket option.

Prefer persistent (long‑lived) connections.