What Is TCP? | NOC.org

What Is TCP?

Transmission Control Protocol (TCP) is one of the core protocols of the Internet Protocol suite. It provides reliable, ordered, and error-checked delivery of data between applications running on hosts connected by a network. Virtually every web page you load, email you send, and file you download uses TCP as its transport layer protocol.

TCP operates at Layer 4 (the transport layer) of the OSI model. Unlike connectionless protocols, TCP establishes a dedicated connection between sender and receiver before any data is exchanged, and it guarantees that every byte arrives intact and in the correct order.

The TCP Three-Way Handshake

Before data can flow, TCP establishes a connection using a process called the three-way handshake. This exchange ensures both sides are ready to communicate:

• SYN (Synchronize): The client sends a SYN packet to the server, indicating it wants to establish a connection and including an initial sequence number.
• SYN-ACK (Synchronize-Acknowledge): The server responds with a SYN-ACK packet, acknowledging the client's sequence number and providing its own initial sequence number.
• ACK (Acknowledge): The client sends a final ACK packet confirming the server's sequence number. The connection is now established and data transfer can begin.

This handshake typically takes one round-trip time (RTT) to complete. On a connection with 20 ms of latency, the handshake adds roughly 20 ms before any application data is exchanged.

TCP vs. UDP

TCP and UDP (User Datagram Protocol) are the two main transport protocols on the internet. They serve fundamentally different purposes:

• Reliability: TCP guarantees delivery and retransmits lost packets. UDP is fire-and-forget — packets may arrive out of order, be duplicated, or be lost entirely.
• Connection state: TCP is connection-oriented and requires the handshake described above. UDP is connectionless and can send data immediately.
• Overhead: TCP headers are 20 bytes minimum, and the protocol adds overhead for acknowledgments, sequencing, and flow control. UDP headers are only 8 bytes with no additional overhead.
• Use cases: TCP is used for HTTP/HTTPS, email (SMTP), file transfers (FTP/SFTP), and SSH. UDP is used for DNS queries, video streaming, VoIP, and online gaming where speed matters more than guaranteed delivery.

TCP in the Context of DDoS Attacks

The TCP handshake creates a vulnerability that attackers exploit through SYN flood attacks — one of the most common forms of protocol-layer DDoS attacks. In a SYN flood, the attacker sends a massive volume of SYN packets but never completes the handshake. The server allocates resources for each half-open connection and waits for the final ACK that never arrives.

As the server's connection table fills up with these half-open connections, it can no longer accept legitimate connections. Even powerful servers have finite connection table sizes, so a SYN flood can be effective at surprisingly low traffic volumes compared to volumetric DDoS attacks.

Modern mitigation techniques include SYN cookies (which avoid allocating state until the handshake completes), rate limiting on SYN packets, and upstream filtering at the CDN or network edge.

TCP and TLS

Transport Layer Security (TLS) — the protocol that powers HTTPS — runs on top of TCP. After the TCP three-way handshake completes, a TLS handshake follows to negotiate encryption parameters and exchange certificates. This means an HTTPS connection requires at least two round trips before any application data flows: one for TCP, one for TLS.

This is one reason why a web application firewall (WAF) deployed at the edge can improve performance: it terminates the TCP and TLS connections close to the visitor, reducing the cumulative latency of both handshakes.