TCP Handshake: How Connections Start (And Why They Fail)

Before TCP sends any data, it establishes a connection using a three-way handshake. Takes milliseconds, happens automatically with every website you visit.

The Three Steps

Step 1 - SYN (Synchronize)

Your device sends a SYN packet to the server: "I want to connect."

Step 2 - SYN-ACK (Synchronize-Acknowledge)

Server responds with SYN-ACK: "OK, I'm ready. Are you?"

Step 3 - ACK (Acknowledge)

Your device confirms with ACK: "Yes, let's start."

Connection established. Data transfer begins.

Why TCP Needs This

The handshake:

• Confirms both sides are ready
• Agrees on sequence numbers (tracks packet order)
• Establishes connection parameters
• Prevents old duplicate connections from interfering

Without it, packets could arrive out of order or from stale connections.

When Handshakes Fail

SYN sent, no response:

• Server is down
• Firewall blocking connection
• Wrong IP or port
• Network routing issue

You see: "Connection timeout" or "No route to host"

SYN-ACK received, but connection drops:

• Firewall allows initial packet but blocks the rest
• NAT or load balancer misconfiguration
• Server rejecting connection after initial response

RST (Reset) received instead of SYN-ACK:

• Port is closed
• Service not running
• Firewall explicitly rejecting

You see: "Connection refused"

SYN Flood Attacks

Attackers send thousands of SYN packets without completing handshakes. Server waits for ACK that never comes, exhausting connection resources.

Protection: SYN cookies, rate limiting, firewall rules.

Practical Implications

High latency? Each handshake adds round-trip time. On 100ms connection, just establishing takes 300ms before any data moves.

TLS/SSL connections? Require TCP handshake PLUS TLS handshake. Even slower initial connection.

Port scanning? Tools send SYN packets to test if ports are open. SYN-ACK = open, RST = closed, no response = filtered.

Troubleshooting? Use Wireshark to capture handshake. See exactly where it fails (SYN sent but no SYN-ACK? Server/firewall issue).

Four-Way Termination

Closing connections uses four steps:

1. FIN from client
2. ACK from server
3. FIN from server
4. ACK from client

Less important to understand unless debugging connection cleanup issues.

Bottom Line

TCP handshake is the three-step process (SYN, SYN-ACK, ACK) that starts every connection.

Happens automatically. Only matters when troubleshooting connection failures, analyzing network performance, or dealing with attacks.

If connections timeout, handshake is failing at some step. Check firewalls, verify server is running, confirm correct IP/port.