Explain the TCP 3-way handshake.
The TCP three-way handshake establishes a reliable, ordered connection between a client and server before any application data is exchanged. It serves two purposes: confirming bidirectional connectivity and synchronizing the initial sequence numbers (ISNs) that TCP uses to order and acknowledge segments.
The three steps are: First, the client sends a SYN (synchronize) segment to the server with a randomly chosen initial sequence number — call it x. This signals the client's intent to open a connection and establishes the client's starting sequence number. Second, the server responds with a SYN-ACK segment: it acknowledges the client's SYN by sending ACK number x+1 (confirming it received x and expects x+1 next), and simultaneously sends its own SYN with its own randomly chosen sequence number y. Third, the client sends an ACK to the server with acknowledgment number y+1, confirming receipt of the server's SYN. After this, both sides have agreed on sequence numbers and the connection is established.
Why random initial sequence numbers? If ISNs were predictable or always started at 0, an attacker could forge packets in an existing connection by guessing the sequence number — a TCP sequence prediction attack. Randomization prevents this.
After the handshake, both sides maintain state: the client moves from SYN_SENT to ESTABLISHED, the server moves from SYN_RECEIVED to ESTABLISHED. Connection teardown is a separate four-way process using FIN and ACK segments, because each direction of the connection closes independently.
Performance implications: the handshake requires 1.5 round trips before any application data can be sent, adding latency. This is why HTTP/2 multiplexes streams over one TCP connection (avoiding repeated handshakes), and QUIC (used by HTTP/3) integrates the transport and cryptographic handshakes to achieve 0-RTT connection resumption for known servers.
SYN flood attacks exploit the handshake: an attacker sends many SYN segments without completing the handshake, exhausting the server's half-open connection table. SYN cookies are the primary mitigation — the server encodes connection state into the ISN rather than storing it, deferring allocation until the ACK arrives.
Correctly describes all three steps with sequence numbers, explains the purpose (bidirectional connectivity + ISN synchronization), and mentions the state transitions.
All of the above plus: explains why ISNs are random (security), discusses latency implications and how modern protocols address them, and mentions SYN flood + SYN cookies.
Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.
Get Graded — Free Assessment