TCP three-way handshake

The TCP handshake is 3 packets to establish a connection. It takes 1 RTT, exchanges initial sequence numbers (ISNs), and negotiates options like MSS, window scaling, and SACK.

The 3 packets

1. Client to server: SYN with client's ISN (call it x).
2. Server to client: SYN-ACK with server's ISN (y) and ACK = x+1.
3. Client to server: ACK with seq = x+1, ack = y+1. May piggyback data.

After the third packet, both sides have agreed on starting sequence numbers and are ready to exchange data.

Why three packets and not two

Two packets would let either side send data after one round trip but cannot detect duplicate or delayed SYNs from a previous connection. The third ACK confirms the server's ISN reached the client, ruling out stale state.

This matters because TCP sequence numbers wrap (32-bit space), and old packets can linger in the network for minutes. The handshake plus randomized ISNs defeats this.

Connection states

• CLOSED: nothing.
• LISTEN: server waiting (after listen()).
• SYN_SENT: client sent SYN.
• SYN_RECEIVED: server got SYN, sent SYN-ACK.
• ESTABLISHED: handshake complete.

What gets negotiated

• ISNs: random per connection, prevents replay.
• MSS: max segment size, usually 1460 on Ethernet.
• Window scale: multiplier for the 16-bit window field.
• SACK permitted: enables selective acknowledgments.
• Timestamps: for RTT measurement and PAWS.

The 1-RTT cost

On a 50 ms RTT link, the handshake adds 50 ms before HTTP request can even leave the client. With TLS on top, total cold-start latency is 100-150 ms before the first byte of response.

SYN flood and the cost of half-open

A SYN flood sends SYNs without completing handshakes. The server allocates connection state for each, exhausting memory. Defense: SYN cookies, which encode the connection state into the ISN itself so the server can stay stateless until the final ACK arrives.