Share This Article
Updated on August 4, 2025
The three-way handshake forms the foundation of every reliable TCP connection. This process ensures that both client and server are ready to exchange data before any information transfers begin.
Understanding this mechanism is essential for network administrators, security specialists, and anyone working with TCP-based applications. The handshake prevents data loss, maintains connection reliability, and establishes the parameters that govern all subsequent communication.
This article examines the technical details of how the three-way handshake works, its core components, and the troubleshooting considerations that affect real-world implementations.
Definition and Core Concepts
The three-way handshake is a three-step negotiation process between a client and server that establishes a TCP connection. This process occurs before any application data transfers and ensures both endpoints are synchronized and ready to communicate.
TCP (Transmission Control Protocol)
Transmission Control Protocol (TCP) is a connection-oriented protocol that provides reliable, ordered delivery of data between applications. Unlike connectionless protocols, TCP requires this handshake to establish state information before data exchange begins.
TCP operates at the transport layer and handles error detection, flow control, and congestion management. The three-way handshake initializes these mechanisms.
SYN (Synchronize)
The SYN flag initiates connection establishment. When set in a TCP packet header, it signals the receiver that the sender wants to establish a new connection.
SYN packets contain an initial sequence number that serves as the starting point for packet ordering. This number is randomly generated to prevent connection hijacking and packet injection attacks.
ACK (Acknowledge)
The ACK flag acknowledges receipt of data or control information. During the handshake, ACK packets confirm that handshake messages arrived successfully.
The acknowledgment number field specifies the next sequence number the sender expects to receive. This creates a confirmation mechanism that ensures both sides track the connection state accurately.
Sequence Numbers
Sequence numbers are 32-bit values that identify the position of data within the TCP stream. Each byte of data receives a sequence number, allowing the receiver to reassemble packets in correct order.
The initial sequence number is randomly selected during connection establishment. This randomization prevents attackers from predicting valid sequence numbers and injecting malicious packets into existing connections.
How It Works
The three-way handshake consists of three distinct message exchanges between client and server. Each message serves a specific purpose in establishing the connection parameters.
Step 1: SYN
The client initiates the connection by sending a TCP packet with the SYN flag set. This packet contains the client’s initial sequence number (ISN) and connection parameters.
The client sets its sequence number to a random 32-bit value. TCP window size, maximum segment size, and other connection options are included in this initial packet.
The client enters the SYN-SENT state and waits for the server’s response. If no response arrives within the timeout period, the client retransmits the SYN packet.
Step 2: SYN-ACK
The server responds with a packet containing both SYN and ACK flags. This message serves two functions: acknowledging the client’s SYN and providing the server’s own connection parameters.
The server sets its own random initial sequence number and acknowledges the client’s sequence number by setting the acknowledgment field to the client’s ISN plus one.
The server enters the SYN-RECEIVED state. Connection resources are allocated, but the connection is not yet fully established.
Step 3: ACK
The client completes the handshake by sending an ACK packet that acknowledges the server’s sequence number. The acknowledgment number is set to the server’s ISN plus one.
At this point, both client and server enter the ESTABLISHED state. The connection is ready for bidirectional data transfer.
This final ACK can carry application data, allowing the client to begin sending information immediately after connection establishment.
Client Server
| |
|——–> SYN ———->|
| |
|<—— SYN-ACK <——–|
| |
|——–> ACK ———->|
| |
| CONNECTION ESTABLISHED
Key Features and Components
The three-way handshake relies on specific TCP header fields and flags to coordinate connection establishment between endpoints.
TCP Header Flags
The SYN flag indicates connection initiation. Only the first packet from each endpoint should have this flag set during normal connection establishment.
The ACK flag acknowledges received data or control messages. After the initial SYN packet, all TCP packets in the connection contain the ACK flag.
Additional flags like FIN, RST, and PSH serve other purposes but are not part of the standard three-way handshake process.
Sequence Number Synchronization
Both endpoints generate random initial sequence numbers to prevent connection hijacking attacks. These numbers establish the baseline for all subsequent data transmission.
The sequence number space is 32 bits, providing over 4 billion unique values. Proper randomization makes it computationally infeasible for attackers to guess valid sequence numbers.
Sequence number wraparound can occur during long-lived connections, but TCP handles this scenario through careful modular arithmetic in sequence number comparisons.
Connection State Management
The handshake prevents half-open connections where one endpoint believes a connection exists while the other does not. Both sides must complete all three steps before entering the ESTABLISHED state.
Connection state tracking prevents resource exhaustion and ensures consistent behavior across network interruptions or system restarts.
TCP maintains connection state in memory structures that track sequence numbers, window sizes, and other connection parameters established during the handshake.
Use Cases and Applications
The three-way handshake occurs in every TCP-based application, forming the foundation for reliable network communication across numerous protocols and services.
Web Browsing (HTTP/HTTPS)
Every web request begins with a TCP three-way handshake between the browser and web server. HTTPS connections require this handshake before the TLS handshake can begin.
Modern browsers often maintain persistent connections to reduce handshake overhead, but the initial connection establishment always requires the three-way process.
HTTP/2 and HTTP/3 protocols still rely on TCP connections (HTTP/2) or build upon similar connection establishment concepts (HTTP/3 with QUIC).
File Transfer Protocols
FTP, SFTP, and SCP all establish TCP connections using the three-way handshake. These protocols often require multiple connections—one for control commands and additional connections for data transfer.
Each data connection requires its own handshake, which can impact performance when transferring many small files.
Remote Access
SSH connections begin with a TCP three-way handshake before the SSH protocol negotiation starts. This establishes the reliable transport layer that SSH encryption and authentication depend upon.
Remote desktop protocols like RDP also use TCP connections with the standard handshake process.
Load Balancers and Firewalls
Network infrastructure devices must understand the three-way handshake to make forwarding and filtering decisions. Load balancers track connection state to ensure request and response packets follow the same path.
Stateful firewalls monitor handshake completion to distinguish legitimate connections from potential attacks. They often drop packets that don’t follow proper handshake sequences.
Some load balancers terminate TCP connections and establish separate connections to backend servers, requiring handshake processing for each connection segment.
Advantages and Trade-offs
The three-way handshake provides essential reliability guarantees but introduces latency overhead that affects application performance.
Reliability Benefits
Connection establishment ensures both endpoints are ready to communicate before data transfer begins. This prevents data loss that could occur if one endpoint is not prepared to receive information.
Sequence number synchronization enables proper packet ordering and duplicate detection throughout the connection lifetime. Without this initial coordination, TCP’s reliability mechanisms would fail.
The handshake establishes flow control parameters that prevent sender applications from overwhelming receiver buffers. This coordination is essential for stable data transfer across networks with varying capacity.
Performance Trade-offs
The handshake adds one round-trip time (RTT) before application data transfer can begin. In high-latency networks, this delay significantly affects user experience.
Each connection requires server resources during the handshake process. SYN flood attacks exploit this by initiating many handshakes without completing them, exhausting server connection tables.
Connection establishment overhead becomes more significant for short-lived connections that transfer small amounts of data. The handshake cost may exceed the data transfer time.
Security Considerations
Random sequence number generation prevents connection hijacking but requires proper implementation to be effective. Weak random number generators create security vulnerabilities.
The handshake process itself can be exploited through SYN flood attacks, where attackers send numerous SYN packets without completing the connection establishment.
Troubleshooting and Considerations
Network administrators must understand common handshake failure scenarios and the tools available for diagnosing connection establishment problems.
Common Failure Points
Firewalls blocking SYN packets prevent connection establishment and typically result in connection timeout errors. This is one of the most frequent causes of handshake failure.
Network congestion can cause handshake packets to be lost or delayed beyond timeout thresholds. The client may retransmit SYN packets several times before giving up.
Server resource exhaustion during high load can prevent proper SYN-ACK responses. The server may drop incoming SYN packets when connection tables are full.
Asymmetric routing issues can cause handshake packets to take different paths, potentially causing timing problems or packet loss.
Diagnostic Tools
Wireshark captures and analyzes TCP packets to show handshake progression. Network administrators can identify which step fails and determine the root cause.
The netstat command displays connection states on local systems. Connections stuck in SYN-SENT or SYN-RECEIVED states indicate handshake problems.
tcpdump provides command-line packet capture capabilities for systems without graphical interfaces. It can filter TCP packets to focus on connection establishment traffic.
Network monitoring tools can track handshake success rates and identify performance trends over time.
Security Attack Considerations
SYN flooding attacks exploit the handshake process by sending numerous SYN packets without sending the final ACK. This exhausts server connection resources and prevents legitimate connections.
SYN cookies provide protection against SYN floods by encoding connection information in the sequence number, eliminating the need to maintain state during handshake.
Rate limiting can protect against handshake-based attacks by restricting the number of new connections from individual source addresses.
Properly configured firewalls and intrusion detection systems can identify and block abnormal handshake patterns that indicate potential attacks.
Key Terms Appendix
- TCP (Transmission Control Protocol): A core protocol providing reliable, ordered, and error-checked delivery of data streams between applications.
- SYN (Synchronize): A flag in the TCP header used to initiate connection establishment and synchronize sequence numbers.
- ACK (Acknowledge): A flag used to acknowledge successful receipt of TCP packets or segments.
- Sequence Number: A 32-bit field in the TCP header used to ensure packets are reassembled in correct order and to detect duplicates.
- SYN Flooding: A denial-of-service attack where an attacker sends numerous SYN packets without completing the handshake, exhausting server resources.
- Initial Sequence Number (ISN): The randomly generated starting sequence number chosen by each endpoint during connection establishment.
- Half-Open Connection: A connection state where one endpoint believes a connection exists while the other endpoint does not, typically prevented by proper handshake completion.
- Round-Trip Time (RTT): The time required for a packet to travel from sender to receiver and back, which directly affects handshake completion time.
