Network Security
Three-Way Handshake
The three-way handshake is the three-step process TCP uses to establish a connection, in which one host sends a SYN, the other replies with a SYN-ACK, and the first confirms with an ACK, synchronizing both sides before data transfer begins.
In plain terms
The three-way handshake is how two computers agree to talk over TCP before sending real data. One says “let’s connect,” the other says “okay, let’s connect,” and the first replies “confirmed.” Three short messages, and the connection is open. It also happens to be where some classic attacks begin.
The three-way handshake is the procedure TCP uses to establish a reliable connection between two hosts before any application data is exchanged. It consists of three steps, which is where the name comes from, and its purpose is to synchronize both ends so that each knows the other is ready and agrees on the starting parameters of the conversation. Because TCP guarantees ordered, reliable delivery, both sides need a shared starting point, and the handshake provides it. Almost every TCP connection, including every web page loaded over HTTP or HTTPS, begins with this exchange.
The three steps revolve around two control flags, SYN and ACK, and a sequence number. In the first step, the client that wants to connect sends a segment with the SYN flag set, along with an initial sequence number that it chooses. In the second step, the server responds with a segment that has both SYN and ACK set: the ACK acknowledges the client’s sequence number, and the SYN carries the server’s own initial sequence number. In the third step, the client sends an ACK acknowledging the server’s sequence number. After these three messages, both sides have exchanged and acknowledged initial sequence numbers, the connection is considered established, and data transfer can begin.
The sequence numbers exchanged during the handshake are important beyond mere formality. They let TCP track every byte sent in each direction, reorder packets that arrive out of sequence, detect loss, and discard duplicates. By agreeing on starting values up front and acknowledging them, both endpoints establish the numbering scheme that underpins TCP’s reliability for the rest of the connection. The handshake may also negotiate options such as maximum segment size and window scaling, tuning the connection before data flows.
The handshake’s design is also the root of one of the most enduring denial-of-service attacks: the SYN flood. An attacker sends a large number of SYN segments, often with spoofed source addresses, but never completes the third step. For each incoming SYN, the server allocates resources and holds a half-open connection while waiting for an ACK that never comes. If enough half-open connections accumulate, the server’s connection table fills, and it can no longer accept legitimate connections. Defenses such as SYN cookies allow a server to avoid storing state for half-open connections by encoding the necessary information in the sequence number it returns, validating the connection only when a genuine ACK arrives.
The handshake is equally central to reconnaissance. Port scanning works by manipulating the handshake to learn which services are listening. A scanner may send a SYN and watch the response: a SYN-ACK indicates an open port, a RST indicates a closed one, and no response may indicate filtering by a firewall. Some scanning techniques deliberately leave connections half-open to be stealthier, sending a SYN and then a RST rather than completing the handshake. Because the handshake is so revealing, monitoring for unusual patterns of SYN traffic is a common way to detect scanning and reconnaissance activity.
Understanding the handshake also helps with troubleshooting and analysis. When a connection fails, where it fails in the handshake is diagnostic: a SYN with no SYN-ACK may indicate the service is down or blocked, while a RST in response to a SYN indicates the port is closed or actively refusing. Packet captures of the handshake reveal round-trip times, negotiated options, and whether a firewall is interfering. For defenders analyzing traffic, the handshake is a compact, information-rich moment that reveals a great deal about how two endpoints are or are not communicating.
In practice, the three-way handshake is the small but essential ritual that opens every TCP connection, synchronizing sequence numbers and confirming readiness through its SYN, SYN-ACK, ACK exchange. It makes TCP’s reliability possible, but its need to hold state for half-open connections also makes it a target for SYN flooding, and its predictable responses make it the basis of port scanning. Knowing the handshake is fundamental to understanding how connections start, how they are attacked, and how to recognize trouble at the very beginning of a conversation.