The TCP three-way handshake is one of the most important sequences in network communication. During this brief but critical exchange, two endpoints negotiate parameters, synchronize sequence numbers, and establish the shared state necessary for reliable data transfer. The SYN_SENT and SYN_RECEIVED states represent the intermediate phases of this handshake—moments where the connection exists in a partially-formed, vulnerable state.

These transitional states are where connections are most susceptible to failures, timeouts, and attacks. A packet lost here means connection failure. A malicious actor flooding SYN packets exploits these states. Network latency during this phase directly impacts perceived application responsiveness. Understanding SYN_SENT and SYN_RECEIVED deeply means understanding not just the protocol mechanics, but the performance characteristics, failure modes, and security implications that arise during connection establishment.

This page explores both states comprehensively—examining the client's perspective (SYN_SENT), the server's perspective (SYN_RECEIVED), the unusual simultaneous open case, and the practical implications for real-world systems.

When a client application calls connect() on a TCP socket, it initiates an active open—actively reaching out to establish a connection with a remote server. The socket immediately transitions from CLOSED to SYN_SENT, and the kernel transmits a SYN segment to the target address.

The SYN_SENT State Mechanics

Entry Condition:

• Application calls connect()
• Kernel generates and sends SYN segment
• Socket transitions: CLOSED → SYN_SENT

What the SYN Contains:

The initial SYN segment carries crucial information for connection establishment:

The ISN Generation Problem

The Initial Sequence Number (ISN) selection is security-critical. Early TCP implementations used predictable ISNs (incrementing clocks), enabling devastating attacks:

The ISN Prediction Attack (Historical):

1. Attacker observes ISN patterns from legitimate connections
2. Attacker predicts the server's ISN for a spoofed connection
3. Attacker sends spoofed SYN with fake source IP
4. Attacker predicts and sends correct ACK (acknowledging predicted ISN+1)
5. Connection established with attacker impersonating trusted source

Modern systems use cryptographically random ISNs:

ISN = hash(source_ip, source_port, dest_ip, dest_port, secret_key, timestamp)

This makes prediction virtually impossible while still ensuring ISNs don't repeat during the Maximum Segment Lifetime (MSL).

Exit Conditions from SYN_SENT

Normal Success Path:

1. Receive SYN+ACK from server
2. Validate that ACK acknowledges our SYN (ack = our_ISN + 1)
3. Send ACK for server's SYN (our ack = server_ISN + 1)
4. Transition to ESTABLISHED state
5. Unblock the connect() call (return success to application)

Timeout Path:

1. No SYN+ACK received within timeout period
2. Retransmit SYN (exponential backoff: 1s, 2s, 4s, 8s, ...)
3. After tcp_syn_retries attempts (default: 6), give up
4. Transition to CLOSED
5. Return error to application (ETIMEDOUT)

Reset Path:

1. Receive RST from server (port not listening, connection refused)
2. Immediately transition to CLOSED
3. Return error to application (ECONNREFUSED)

Simultaneous Open Path (Rare):

1. Receive SYN (without ACK) from the peer
2. Both sides sent SYN at approximately the same time
3. Transition to SYN_RECEIVED (will discuss later)

When a server in LISTEN state receives a valid SYN packet, it creates a new connection record (or request socket) and transitions that connection into the SYN_RECEIVED state. Note carefully: the listening socket itself stays in LISTEN—SYN_RECEIVED applies to the embryonic connection being established.

The SYN_RECEIVED State Mechanics

Entry Conditions:

What the SYN+ACK Contains:

The server's response acknowledges the client's SYN and sends its own:

The Request Socket (Mini-Socket)

In modern implementations (Linux, Windows), the server doesn't create a full socket for each SYN. Instead, it creates a lightweight request socket (or connection request block):

// Simplified Linux request_sock structure
struct request_sock {
    struct sock_common          __req_common;
    struct request_sock         *dl_next;      // Queue linkage
    
    u32                         rcv_isn;       // Client's ISN
    u32                         snt_isn;       // Our ISN
    u16                         mss;           // Negotiated MSS
    u8                          num_retrans;   // SYN+ACK retries
    u8                          syncookie:1;   // Created via SYN cookie?
    
    struct timer_list           rsk_timer;     // Retransmission timer
};

This design minimizes memory consumption for half-open connections, which is crucial during SYN floods. A full socket (struct sock_common, struct inet_sock, etc.) may consume 1-2 KB, while a request socket uses only ~100-200 bytes.

The SYN_RECEIVED State Timeline

                     Time
                       │
    Server receives    │
    SYN from client    ▼
    ─────────────────────
                       │
    Create request_sock│
    Send SYN+ACK       │
    Start timer        │────────────────────────┐
    (Enter SYN_RCVD)   │                        │
                       │                        │
                       │  Timer expires?        │ Waiting for
                       │  Resend SYN+ACK        │ client's ACK
                       ├────────────────────────┤
                       │  Timer expires again?  │
                       │  Resend SYN+ACK        │
                       ├────────────────────────┤
                       │                        │
    Receive ACK ─────▶ │  Validate ACK          │
                       │  Create full socket    │
                       │  Move to accept queue  │
                       │  (Enter ESTABLISHED)   │
    ─────────────────────
                       │
    App calls accept() │
    Returns new fd     ▼

Exit Conditions from SYN_RECEIVED

Normal Success Path:

1. Receive valid ACK from client (ack = our_ISN + 1)
2. Promote request_sock to full socket
3. Move to accept queue
4. Transition to ESTABLISHED

Timeout Path:

1. No ACK received within timeout
2. Retransmit SYN+ACK (up to tcp_synack_retries times)
3. After exhausting retries, destroy request_sock
4. Connection attempt silently dropped

Reset Path:

1. Receive RST from client
2. Destroy request_sock immediately
3. Log event (depending on configuration)

The three-way handshake operates over an unreliable network layer—packets can be lost, delayed, or corrupted. TCP handles this through retransmission with exponential backoff, but the behavior during handshake differs from established connection retransmission.

SYN Retransmission (Client Side)

When a client sends a SYN and receives no SYN+ACK:

Attempt  │  Delay    │  Cumulative
─────────┼───────────┼─────────────
   1     │   0s      │    0s        (initial SYN)
   2     │   1s      │    1s        (1st retry)
   3     │   2s      │    3s        (2nd retry)
   4     │   4s      │    7s        (3rd retry)
   5     │   8s      │   15s        (4th retry)
   6     │  16s      │   31s        (5th retry)
   7     │  32s      │   63s        (6th retry)
  Fail   │  64s      │  127s        (give up)

Controlled by: net.ipv4.tcp_syn_retries (default: 6)

Total timeout ≈ 127 seconds before the connect() call returns ETIMEDOUT.

SYN+ACK Retransmission (Server Side)

When a server sends SYN+ACK and receives no ACK:

Attempt  │  Delay    │  Cumulative
─────────┼───────────┼─────────────
   1     │   0s      │    0s        (initial SYN+ACK)
   2     │   1s      │    1s        (1st retry)
   3     │   2s      │    3s        (2nd retry)
   4     │   4s      │    7s        (3rd retry)
   5     │   8s      │   15s        (4th retry)
   6     │  16s      │   31s        (5th retry)
  Drop   │           │   ~63s       (destroy request_sock)

Controlled by: net.ipv4.tcp_synack_retries (default: 5)

The request_sock is destroyed after approximately 63 seconds of no response.

Why Exponential Backoff?

The exponential backoff pattern (1s, 2s, 4s, 8s, ...) serves multiple purposes:

1. Congestion Control: If packets are being lost due to network congestion, aggressive retransmission would worsen the congestion. Backing off gives the network time to recover.

2. Resource Conservation: Constant retransmission wastes CPU and bandwidth on both endpoints.

3. Diverse Network Conditions: The increasing delays accommodate networks with vastly different characteristics—from local networks (ms latency) to satellite links (600ms+ RTT).

4. Attack Mitigation: Rapid retransmission would amplify DDoS attack traffic.

Packet Loss Scenarios

The "Connection Timeout" Hierarchy

Applications may implement multiple timeout layers:

Layer           │ Typical Value    │ Control
────────────────┼──────────────────┼─────────────────────
Kernel SYN      │ 127 seconds      │ tcp_syn_retries
Socket timeout  │ 30 seconds       │ SO_SNDTIMEO / alarm()
Application     │ 5-10 seconds     │ Application logic
User interface  │ 3-5 seconds      │ UX design

Best practice: Set application-level timeouts shorter than kernel timeouts to maintain responsiveness.

TCP's state machine includes a rarely-encountered but fascinating scenario: simultaneous open, where both endpoints initiate connection at approximately the same time. Neither endpoint is purely a client or server—both perform active opens.

How Simultaneous Open Occurs

For simultaneous open to occur, the following must happen:

1. Both endpoints have sockets bound to known ports
2. Both endpoints call connect() at approximately the same time
3. Each endpoint's SYN reaches the other before its own SYN+ACK is sent

    Host A                           Host B
      │                                │
      │  connect() called              │  connect() called
      │  Send SYN (seq=100)            │  Send SYN (seq=300)
      │═════════════════════════════▶  │
      │  ◀═════════════════════════════│
      │                                │
  SYN crosses SYN in transit           │
      │                                │
  Receive SYN        Receive SYN       │
  (no ACK bit)       (no ACK bit)      │
      │                                │
  Enter SYN_RECEIVED                   │  Enter SYN_RECEIVED
  Send SYN+ACK       Send SYN+ACK      │
      │═════════════════════════════▶  │
      │  ◀═════════════════════════════│
      │                                │
  Receive SYN+ACK    Receive SYN+ACK   │
  Enter ESTABLISHED  Enter ESTABLISHED │

The State Transitions

In simultaneous open, both endpoints follow this path:

CLOSED → SYN_SENT → SYN_RECEIVED → ESTABLISHED

This is unlike normal connection where:

• Client: CLOSED → SYN_SENT → ESTABLISHED
• Server: LISTEN → SYN_RECEIVED → ESTABLISHED

The key insight: when a socket in SYN_SENT receives a SYN (without ACK), it knows a simultaneous open is occurring and transitions to SYN_RECEIVED rather than ESTABLISHED.

Practical Occurrence

Simultaneous open is rare in practice because:

1. Asymmetric design: Most applications use client-server model where one side listens and one connects.

2. Timing requirements: Both SYNs must be in flight simultaneously, which requires very precise timing or high latency.

3. Known ports: Both sides must know each other's port in advance to connect().

However, simultaneous open can occur in:

• Peer-to-peer applications: Where both peers try to initiate connection
• NAT traversal techniques: UDP hole punching adapted for TCP
• Testing/debugging scenarios: Intentionally triggering the behavior

Why TCP Supports This

TCP was designed to handle any combination of opens and closes. The state machine's completeness ensures that even unusual sequences work correctly. RFC 793 explicitly specifies simultaneous open behavior, and all conforming implementations must support it.

Verification Code

The SYN_SENT and SYN_RECEIVED states represent a window of vulnerability. The connection exists but is not yet validated—creating opportunities for attacks, reconnaissance, and denial of service.

Attack Vectors Targeting Handshake States

1. SYN Flood Attack

Target: SYN_RECEIVED state on servers

• Attacker sends massive volume of SYN packets
• Each SYN creates a request_sock entry
• Spoofed source IPs prevent ACK completion
• Server's SYN queue fills up
• Legitimate connections denied

Mitigations:

• SYN cookies (eliminate state for half-open connections)
• Increase SYN queue size
• Reduce SYN+ACK retries
• Firewall rate limiting
• Cloud DDoS protection

2. ACK Flood Attack

Target: Processing overhead for spurious ACKs

• Attacker sends ACK packets with random sequence numbers
• Server must look up and validate each ACK
• CPU resources consumed even though ACKs are rejected

Mitigations:

• SYN cookies (ACKs only valid if cookie matches)
• Rate limiting ACKs to non-existent connections
• Hardware offload for packet filtering

3. Port Scanning / Reconnaissance

Target: Discovery of listening services

• SYN scan: Send SYN, look for SYN+ACK (open) or RST (closed)
• Half-open scan: Don't complete handshake (harder to log)
• Connect scan: Complete handshake, then close

Mitigations:

• Firewall rules restricting port access
• Connection logging (even half-open)
• Intrusion detection systems (IDS)
• Port knocking

4. RST Injection Attack

Target: Disrupting connections during establishment

• Attacker guesses sequence numbers
• Sends spoofed RST to terminate connections
• Easier during handshake (fewer valid sequence numbers)

Mitigations:

• TCP timestamps (adds entropy to validation)
• Sequence number randomization
• TCP-AO (Authentication Option) for critical connections

Detecting Handshake Anomalies

Monitoring tools can identify attacks and anomalies:

# Check for SYN flood indicators
netstat -s | grep -i syn

# Example output during attack:
#   23451 SYNs to LISTEN sockets dropped
#   18234 times the listen queue of a socket overflowed
#   521432 SYN cookies sent
#   512891 SYN cookies received

# Monitor in real-time
watch -n1 'ss -tn state syn-recv | wc -l'

# Alert if SYN_RECEIVED count exceeds threshold
SYN_RECV_COUNT=$(ss -tn state syn-recv | wc -l)
if [ $SYN_RECV_COUNT -gt 1000 ]; then
    echo "ALERT: High SYN_RECEIVED count ($SYN_RECV_COUNT)"
fi

Firewall Rules for Handshake Protection

# iptables rules for SYN flood protection

# Limit new connections per source IP
iptables -A INPUT -p tcp --syn -m connlimit \
    --connlimit-above 100 --connlimit-mask 32 \
    -j DROP

# Rate limit SYN packets overall
iptables -A INPUT -p tcp --syn -m limit \
    --limit 100/s --limit-burst 200 \
    -j ACCEPT

# Drop invalid packets (bad flags, wrong sequence)
iptables -A INPUT -m state --state INVALID -j DROP

# Log potential scans
iptables -A INPUT -p tcp --syn -m recent --name portscan \
    --update --seconds 60 --hitcount 10 -j LOG \
    --log-prefix "PORT SCAN DETECTED: "

Connection establishment problems manifest in various ways: timeouts, refused connections, slow startups. Understanding the handshake states helps pinpoint the cause.

Diagnostic Approach

Step 1: Identify the Symptom

Step 2: Verify Server is Listening

# On the server
ss -tlnp | grep PORT
lsof -i :PORT

# Expected: LISTEN state socket with correct program

Step 3: Check Network Path

# Can we reach the server?
ping server_ip

# Can we reach the port?
nmap -p PORT server_ip

# Or without nmap:
nc -zv server_ip PORT

Step 4: Capture the Handshake

# Capture TCP handshake packets
tcpdump -i any host server_ip and port PORT -nn

# Expected successful handshake:
# 1. Client → Server: SYN
# 2. Server → Client: SYN+ACK
# 3. Client → Server: ACK

Common Issues and Solutions

Issue: Connection Refused Immediately

connect(): Connection refused (ECONNREFUSED)

• Cause: Server's kernel sent RST because nothing is listening
• Verify: ss -tlnp | grep PORT shows nothing
• Solution: Start the server application

Issue: Connection Timeout (Long Delay)

connect(): Connection timed out (ETIMEDOUT)

• Cause: SYN packets not receiving response
• Possibilities:
  • Firewall dropping SYN packets
  • Wrong IP address
  • Server host down
  • SYN queue full (with SYN cookies disabled)
• Verify: tcpdump shows SYN sent, no SYN+ACK
• Solution: Check firewall rules, verify server state

Issue: Slow Connection (Several Seconds)

• Cause A: Packet loss requiring retransmission

  • Check: tcpdump shows SYN, delay, SYN retransmit
  • Solution: Investigate network path quality

• Cause B: High latency path

  • Check: ping shows high RTT
  • Solution: Normal for distant servers

• Cause C: DNS delay before connect()

  • Check: strace shows slow gethostbyname()
  • Solution: Use IP addresses for testing; fix DNS

Issue: Sporadic Connection Failures

• Cause A: Server queue overloaded

  • Check: Server's netstat -s shows overflow counters increasing
  • Solution: Increase backlog, add SYN cookies, scale server

• Cause B: Intermittent network issues

  • Check: mtr or traceroute shows packet loss at specific hop
  • Solution: Network-level remediation

We've explored the two transitional states of TCP connection establishment—the critical moments where connections are formed but not yet validated.

Key Takeaways

What's Next

Once the three-way handshake completes successfully, the connection enters the ESTABLISHED state—the stable, data-transfer phase that most developers think of when they think of TCP connections. In the next page, we'll explore what ESTABLISHED means, how data transfer occurs, and the mechanisms that maintain connection health during this phase.