Only after confirming both parties can send and receive does the real conversation begin. TCP's three-way handshake is precisely this ritual — a formal confirmation that both sides are ready to communicate before a single byte of application data is exchanged.

The handshake serves three purposes: it establishes the connection, synchronizes sequence numbers, and negotiates parameters. Miss any one of these, and data transfer becomes unreliable.

SYN → SYN-ACK → ACK

Step 1: SYN (Client → Server)

The client sends a segment with the SYN (synchronize) flag set. It includes a randomly chosen Initial Sequence Number (ISN) — let's call it x.

"I want to start a connection. My sequence numbers will start at x."

Step 2: SYN-ACK (Server → Client)

The server receives the SYN and responds with both SYN and ACK flags set. It acknowledges the client's sequence number and announces its own.

"I received your request. My sequence numbers start at y. I'm ready."

Step 3: ACK (Client → Server)

The client acknowledges the server's sequence number. The connection is now ESTABLISHED.

"Confirmed. Let's talk."

Why Three Steps, Not Two or Four?

Why not two steps (SYN + SYN-ACK)?

If the server sent SYN-ACK and immediately started sending data, the client's ACK might never arrive. The server would not know whether the client was ready. Two steps give the server no confirmation.

Why not four steps?

You could separate the server's SYN and ACK into two separate messages, but there is no benefit — they can be sent simultaneously in one segment (SYN-ACK). Four steps would add unnecessary latency.

Three is the minimum number of messages that guarantees both sides have confirmed they can send and receive.

Sequence Numbers: How TCP Tracks Order

Sequence numbers are the backbone of TCP's reliability.

Every byte in a TCP stream has a unique sequence number
The ISN is random (prevents historical packet confusion and security attacks)
The ACK number always means: "I have received everything up to this byte, send me this byte next"

If segments arrive out of order (common in the internet), the receiver uses sequence numbers to reorder them before passing data to the application. If a segment is missing, the receiver signals the gap and the sender retransmits.

TCP Connection Teardown: Four-Way FIN

Closing a TCP connection requires four messages, because each side must independently close its own direction of communication.

The gap between the server's ACK and FIN exists because the server might still have data to send after the client is finished. Each direction of the full-duplex connection closes independently.

TCP States

State	Meaning
CLOSED	No connection exists
LISTEN	Server is waiting for incoming connections
SYN_SENT	Client has sent SYN, waiting for SYN-ACK
SYN_RECEIVED	Server received SYN, sent SYN-ACK, awaiting ACK
ESTABLISHED	Connection active, data transfer in progress
FIN_WAIT_1	Sent FIN, waiting for ACK
FIN_WAIT_2	FIN acknowledged, waiting for other side's FIN
CLOSE_WAIT	Received FIN, waiting for local application to close
LAST_ACK	Sent final FIN, waiting for last ACK
TIME_WAIT	Waiting 2×MSL to ensure final ACK was received
CLOSING	Both sides sent FIN simultaneously

TIME_WAIT Explained

After the final ACK, the client waits 2 × MSL (Maximum Segment Lifetime) — typically 60–120 seconds — before fully closing. This ensures:

The final ACK actually reached the server
Any delayed packets from the old connection expire before a new one on the same port

SYN Flood Attack

The handshake has a vulnerability: after receiving a SYN and sending SYN-ACK, the server allocates resources and waits for the ACK. If the ACK never comes, the server holds a half-open connection until it times out.

A SYN flood attack exploits this:

An attacker sends thousands of SYN segments from spoofed IP addresses
The server sends SYN-ACK to addresses that never respond
The server's connection queue fills with half-open connections
Legitimate connections are rejected — Denial of Service

Defense: SYN Cookies

SYN cookies eliminate the need to store state for half-open connections:

Server receives SYN but does not allocate resources
Server encodes connection parameters into the SYN-ACK's sequence number (the "cookie")
When the ACK arrives, the server reconstructs the connection state from the ACK number
Only legitimate connections (that return the correct ACK) consume server resources

SYN cookies are now standard in Linux and Windows kernels.

TCP Window Size and Flow Control

The window size field in the TCP header tells the sender how many bytes the receiver can currently accept in its buffer.

Sender: sends up to window_size bytes without waiting for ACK
Receiver: ACK says "received X, my window is now Y bytes"

If the receiver's buffer fills (slow application), it advertises window size = 0 → sender pauses
When buffer drains, receiver sends a window update → sender resumes

This prevents a fast sender from overwhelming a slow receiver — a mechanism called flow control. It is distinct from congestion control, which responds to network capacity rather than receiver capacity.

Window Scaling (RFC 7323): The original window size field is 16 bits (max 65535 bytes). Modern networks with high bandwidth-delay products need larger windows. The window scaling option allows window sizes up to 1 GB.

Key Takeaways

The three-way handshake (SYN, SYN-ACK, ACK) establishes a connection and synchronizes sequence numbers
Three steps is the provable minimum for mutual confirmation
TCP teardown uses four messages because each direction closes independently
Sequence numbers enable reliable, ordered delivery and retransmission
SYN flood exploits the half-open connection state; SYN cookies defeat it
Window size enables flow control between sender and receiver

💬 DiscussionPowered by GitHub Discussions

📱

Get this course's notes on Telegram!

Free cheat sheets, summaries & practice exercises

Get Notes Free →

32 minLesson 11 of 17

Course Contents(17 lessons)

▾

Chapter 1: Network Foundations

What Is a Computer Network? Types and Topologies22 min

Network Devices: Hubs, Switches, Routers Explained25 min

Chapter 2: OSI and TCP/IP Models

The 7-Layer OSI Model: A Layer-by-Layer Journey35 min

TCP/IP Model: How the Internet Actually Works28 min

Data Encapsulation: How Packets Are Built and Unwrapped25 min

Chapter 3: Network and Data Link Layers

IP Addressing: IPv4, Subnets, and CIDR Notation35 min

IPv6: Why We Needed It and How It Works25 min

Routing Algorithms: How Packets Find Their Way30 min

MAC Addresses and the Data Link Layer25 min

Chapter 4: Transport Layer

TCP vs UDP: Reliability vs Speed30 min

TCP Deep Dive: Handshake, Flow Control, Congestion32 min

Chapter 5: Application Layer Protocols

DNS: How Domain Names Become IP Addresses30 min

HTTP and HTTPS: The Web's Foundation32 min

Email, FTP, and Other Application Protocols25 min

Chapter 6: Network Security

Network Security: Threats, Attacks, and Defenses30 min

Firewalls, VPNs, and Network Access Control28 min

SSL/TLS: How HTTPS Encrypts Your Data30 min