✋ TCP 3-Way Handshake: what it is, how it works, and which attacks it prevents

When two devices want to communicate over the Internet using the TCP protocol, they don’t just start chatting. First, they perform a digital handshake to establish a reliable connection.

This process is called the 3-Way Handshake. In this post, we’ll explain it in a simple, practical way—with examples and a touch of cybersecurity.

🧠 What is TCP?

Transmission Control Protocol (TCP) is a communication protocol that ensures reliable data transfer between devices. It makes sure data arrives without errors, in the correct order, and without duplication.

🤝 The three steps of the 3-Way Handshake

1. SYN – The initial hello

The client sends a SYN packet to begin communication.

“Hey, are you there? I’d like to talk!”

2. SYN-ACK – The server responds

The server replies with a SYN-ACK packet.

“Yes, I’m here! I’d like to talk too. Are you still there?”

3. ACK – The client confirms

The client replies with an ACK packet.

“Got it! Let’s begin!”

✅ Connection established! Now data can flow securely.

🍕 Practical example: ordering pizza

• You: “Are you hungry?” → SYN
• Friend: “Yes! Are you?” → SYN-ACK
• You: “Me too! Let’s order.” → ACK

🎉 TCP connection established = pizza time!

👻 What if something goes wrong?

If the client sends a SYN but gets no response? It tries again.
If the server sends a SYN-ACK but receives no ACK? It waits a bit… then closes the connection (to avoid being stuck like a WhatsApp message with only one grey tick

🔐 Why is the 3-Way Handshake important?

• It ensures both sides are ready to communicate.
• It prevents incomplete or fake connections.
• It serves as the foundation for TCP’s security and reliability.

💣 Attacks prevented by the 3-Way Handshake

🔹 1. IP Spoofing (with SYN Spoofing)

An attacker fakes the source IP and sends SYN packets.

• The server replies with SYN-ACK to the forged IP, not to the attacker.
• Without the final ACK, the connection is never completed.

➡️ Helps prevent fake or spoofed connections.

🔹 2. SYN Flood Attack (DoS)

The attacker sends thousands of SYNs without completing the handshake.

• The server allocates resources for each pending request.
• Resources get exhausted, and legitimate clients can’t connect.

➡️ Mechanisms like SYN cookies help mitigate this.

🧪 Test your knowledge (interactive)