Networking & Protocols
Sequence numbers and connection state
Crux How ISN randomisation hardens TCP against injection attacks, and the full state machine from CLOSED to TIME-WAIT.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at middle altitude — in the skyYou know the three steps of the handshake. Now look at what those steps actually exchange: random 32-bit counters whose specific values are not arbitrary — they are a security mechanism, a timing mechanism, and a state machine checkpoint all at once.
The three-step dance in detail
Bea sends SYN seq=X. She moves to state SYN-SENT. Sven receives it, allocates a buffer for the incoming direction, moves to state SYN-RECV, and replies SYN-ACK seq=Y ack=X+1. The ack=X+1 means “I saw your sequence number X; the next byte I expect from you is X+1.” (The SYN flag itself consumes one sequence number even though no data byte is sent.) Bea then sends ACK seq=X+1 ack=Y+1 and moves to state ESTABLISHED. Sven receives it, moves to state ESTABLISHED, and the connection is live.
Sequence number negotiation
1/3Initial Sequence Numbers (ISN) — why random?
RFC 6528 specifies that ISN is computed as:
ISN = M + F(saddr, sport, daddr, dport, secret_key)where M increments once per ~4 µs (making it hard to guess from the outside), and F is a hash of the 4-tuple and a secret key. Older implementations used a simple counter, which attackers exploited: an attacker could guess the next ISN, forge a packet with the right sequence number, and inject commands into an established connection. Modern ISNs are cryptographically random per connection, making blind injection impossible without eavesdropping.
The 1-RTT cost
Bea sends SYN, waits for SYN-ACK (1 RTT), sends ACK, and only then can she send an HTTP request. If the RTT is 100 ms (across a continent), 100 ms of latency is baked into the connection before the first application byte lands. This RTT matters because it decides the cadence of the entire application.
- LAN RTT (cold)
- 0.1–1 ms
- Regional RTT
- 20–40 ms
- Intercontinental RTT
- 100–300 ms
- TFO cold start
- 1 RTT + data
- TFO warm start
- 0 RTT (data in SYN)
- HTTP/2 benefit
- 1 connection, many streams
Connection close: FIN and TIME-WAIT
Closing is the mirror of opening: each side independently sends FIN to signal “I have no more data,” and the peer ACKs. Connections sit in TIME-WAIT for 2×MSL (~120 s typical) so any straggler retransmission can land harmlessly instead of being mistaken for a new connection’s data. The side that initiates close pays the TIME-WAIT cost; on busy clients this is fine, on busy servers it can become a problem — see the lesson on SYN cookies and TFO for TIME-WAIT exhaustion at scale.
The state machine
The states you will see in ss -tan output:
| State | Meaning |
|---|---|
LISTEN | Server waiting for SYN |
SYN-SENT | Client has sent SYN |
SYN-RECV | Server has sent SYN-ACK |
ESTABLISHED | Handshake done, normal traffic |
FIN-WAIT-1 | Close initiator sent FIN |
FIN-WAIT-2 | Received ACK of own FIN |
CLOSE-WAIT | Received FIN from peer, must call close() |
LAST-ACK | Sent FIN, awaiting final ACK |
TIME-WAIT | Post-close cooldown (2×MSL) |
CLOSED | No connection |
An accumulation of CLOSE-WAIT on a server usually means the application is not calling close() on accepted sockets — a resource leak.
Trace it
1/5 Trace a successful TCP three-way handshake and the first data byte.
1
Step 1 of 5
Client sends SYN. What state is the client in?
SYN-SENT. The client allocates a half-open connection structure and starts the SYN retransmission timer.
2
Locked
Server receives SYN. What does it allocate and what does it reply?
Server allocates a request_sock (or generates a SYN cookie if backlog is full), moves to SYN-RECV, and replies SYN-ACK with its own ISN plus ack = client_isn + 1.
3
Locked
Client receives SYN-ACK. What does the ACK number tell the client?
ack = client_isn + 1 confirms the server received the client's SYN. Client moves to ESTABLISHED.
4
Locked
Client sends ACK. What does the server do?
Server validates the ACK, allocates the full socket (or validates the SYN cookie), and moves to ESTABLISHED. The handshake is complete.
5
Locked
Client's first data byte. What sequence number does it carry?
client_isn + 1. The SYN consumed one sequence number, so the next byte sent uses the value the server already acknowledged as expected.
✓ Traced.
Trace it
1/4 Trace what happens when the SYN packet is lost on the way to the server.
1
Step 1 of 4
Client sends SYN. Server never sees it. What does the client do?
Client's SYN retransmission timer fires (default ~1s, doubled on each retry up to 5-6 attempts). It resends SYN with the same ISN.
2
Locked
After two more retries the SYN still fails. What happens?
Linux retries up to tcp_syn_retries times (default 6, ~127s total). After that, connect() returns ETIMEDOUT to the application.
3
Locked
What if the SYN reached the server but SYN-ACK was lost?
Client still retransmits SYN; server treats the duplicate SYN as a retransmit and re-sends its SYN-ACK with the same server ISN.
4
Locked
Why is this safe even on a flaky network?
Because both ISNs are fixed for the handshake — duplicates are idempotent. The first ACK from either side that arrives completes the handshake.
✓ Traced.
Order the steps
Completed
Order the TCP state transitions for a client opening then closing a connection:
- 1 CLOSED
- 2 SYN-SENT (after send(SYN))
- 3 ESTABLISHED (after receive(SYN-ACK) and send(ACK))
- 4 FIN-WAIT-1 (after send(FIN))
- 5 FIN-WAIT-2 (after receive(ACK of FIN))
- 6 TIME-WAIT (after receive(FIN) and send(ACK))
- 7 CLOSED (after 2×MSL expires)
Quiz
Completed
Why is the SYN flag treated as consuming one sequence number even though no data byte is sent?
Heads-up TCP increments by bytes sent, not by packets.
Heads-up The behaviour is designed, not legacy. It enables reliable handshake retransmission.
Heads-up TCP headers handle padding separately; sequence semantics are about reliability.
Why this works
Why older ISN implementations were dangerous. Before RFC 6528, many TCP stacks incremented the ISN by a fixed amount per second (~250,000 per second on BSD-derived systems). An attacker who could observe the timing of one connection could predict the next ISN with reasonable accuracy and forge an ACK or data segment — the classic TCP sequence number prediction attack. Randomised ISNs, combined with cryptographic mixing of the 4-tuple, make this attack computationally infeasible without being able to observe the actual SYN-ACK.
- 01Why are Initial Sequence Numbers (ISNs) randomised rather than starting from zero or incrementing globally?
- 02What does TIME-WAIT mean, how long does it last, and why does it exist?
- 03What does a large number of CLOSE-WAIT sockets on a server almost always indicate?
Recap
The three-way handshake exchanges Initial Sequence Numbers (ISNs) in both directions. ISNs are computed as a time-based counter plus a cryptographic hash of the connection 4-tuple (RFC 6528), making injection attacks infeasible. The SYN flag consumes one sequence number so the exchange is individually acknowledgeable. Once ESTABLISHED, both sides track the connection through an 11-state machine: LISTEN, SYN-SENT, SYN-RECV, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT, CLOSED. TIME-WAIT persists for 2×MSL (~120s) to absorb delayed retransmissions. CLOSE-WAIT accumulation is the most common socket-leak symptom — the application is not calling close() on accepted sockets.
Connected lessons
builds on
deepens into
appears again in258
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- The journey of a request: seven stops from socket to responsejunior
- Accept and parse: from kernel queue to a typed requestmiddle
- Routing and middleware: choosing what runs, and in what ordermiddle
- Handler and response: from business logic to bytes on the wiremiddle
- Streaming and backpressure: when the client reads slower than you writesenior
- Timeouts and tail latency: budgets, deadlines, and the fan-out trapsenior
- Middleware and DI: the two patterns that shape every backendjunior
- Writing middleware: signatures, next(), and the three framework modelsmiddle
- Inversion of control: how dependencies reach a classmiddle
- DI scopes and lifecycles: singleton, request, transientmiddle
- DI as a testing seam: fakes, mocks, and the boundary that matterssenior
- DI containers in production: resolution graphs, circular deps, and when not tosenior
- Blocking vs non-blocking I/O: two ways to waitjunior
- The event loop: one thread, ordered phasesmiddle
- What blocks the loop: CPU work and sync callsmiddle
- Offloading CPU work: worker threads and the libuv poolmiddle
- Backpressure and bounded concurrencysenior
- Throughput under load: tail latency and saturationsenior
- Why pool: the cost of creating a connectionjunior
- Pool sizing: why bigger is not fastermiddle
- Acquisition and timeouts: the wait queue is the real latency dialmiddle
- Why idempotency: making retries safejunior
- Server-side state machine: four states of an idempotency keymiddle
- Retry strategies: backoff, jitter, and thundering herdmiddle
- Outbox and inbox: effectively-once across the dual-write boundarymiddle
- Concurrency and cache architecture for idempotency at scalesenior
- Observability, production failures, and global-scale designsenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Timer accuracy, throttling, and idle workmiddle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- Service worker lifecycle and cache strategiesmiddle
- Service worker edge cases: version skew, durability, and navigation trapssenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- LCP: four phases, one dominant costmiddle
- INP: input delay, processing, presentationmiddle
- CLS: why layout shifts happen and how to stop themmiddle
- Lab vs field: why the two disagree and how to use eachmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- What a relation is: tables, rows, keys, and constraintsjunior
- Constraints, keys, and Postgres data typesmiddle
- Normal forms, denormalization, and why schemas stickmiddle
- JSONB, arrays, and when a side table winsmiddle
- Heap storage, TOAST, and column alignmentsenior
- Schema integrity: deferral, versioning, and production failure modessenior
- Relational vs document, wide-column, graph, and key-valuesenior
- What an index is and how it speeds up queriesjunior
- The leading-column rule and composite index designmiddle
- Partial, expression, and covering indexesmiddle
- Index types: GIN, GiST, BRIN, Hash, Bloom, and HOT updatesmiddle
- Index-only scans, the Visibility Map, and INCLUDEsenior
- Production failure modes and the index audit playbooksenior
- Index design exercise: full-text search strategysenior
- EXPLAIN and execution plans: what the planner decides and whyjunior
- Scan types: Seq, Index, Bitmap, Index-Onlymiddle
- Join algorithms and the row-estimate cascademiddle
- pg_statistic, ANALYZE, and production observabilitymiddle
- Extended statistics: fixing correlated-column estimate failuressenior
- Plan cache, cost-constant tuning, and planner internalssenior
- Production failure modes and plan stabilitysenior
- MVCC: why readers and writers never wait for each otherjunior
- Row versions and snapshots: the on-disk mechanicsmiddle
- HOT updates and isolation levels: what you gain and what you paymiddle
- Vacuum and bloat: keeping the storage tax boundedmiddle
- CLOG, XID wraparound, and MultiXact: deep visibility internalssenior
- SSI internals and production autovacuum tuningsenior
- Real-world MVCC failures, deployment patterns, and distributed snapshotssenior
- Connection pools: amortising the cost of a Postgres backendjunior
- PgBouncer session, transaction, and statement modesmiddle
- Pool sizing: the (cores × 2) + spindles formula and the two-layer stackmiddle
- Pool exhaustion and idle-in-transaction: the 3 AM failure modemiddle
- Migrating to transaction mode: rollout playbook and PgBouncer 1.21 prepared statementsmiddle
- The Postgres process model and why raising max_connections degrades throughputsenior
- Pooler landscape 2026, serverless connection storms, and the full failure-mode taxonomysenior
- What a schema migration is and why it replaces ad-hoc DDLjunior
- ADD COLUMN: instant in PG 11+ vs rewrite in older Postgresjunior
- The lock-queue failure mode: why instant DDL can freeze the databasemiddle
- Safe DDL patterns: NOT VALID, CONCURRENTLY, and unsafe-op fixesmiddle
- Expand-contract: zero-downtime for breaking schema changesmiddle
- Advisory locks, migration tools, and deploy coordinationsenior
- Migration failure taxonomy and production disciplinesenior
- Why sharding exists: the single-Postgres ceilingjunior
- Shard-key selection: hash, range, list, and directory strategiesmiddle
- Partitioning vs sharding: same word, two different thingsmiddle
- Co-location and Citus: the invariant that makes sharding usablemiddle
- The hot-shard failure mode: detection, isolation, and durable policymiddle
- Schema-based sharding and multi-tenancy alternativessenior
- Online resharding, 2PC, and the operational cost of shardingsenior
- The seven acts: from CREATE TABLE to Citusjunior
- Acts 1–3 in depth: schema, indexes, and planner statisticsmiddle
- Acts 4–6 in depth: MVCC bloat, connection pooling, and safe migrationsmiddle
- Act 7 in depth: sharding, co-location, and the seven-tier tradeoff cascademiddle
- Observability, anti-patterns, and production triagesenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- What the three signals are: logs, metrics, and tracesjunior
- Metrics and cardinality: the cost model of a time-series databasemiddle
- Logs and volume: the cost model of structured loggingmiddle
- Traces and sampling: the cost model of distributed tracingmiddle
- Join keys and exemplars: making the three signals composemiddle
- Observability 2.0: wide events and the cost shiftsenior
- Failure modes and engineering practice: cardinality budgets, PII, and samplingsenior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- Log levels and alert routingmiddle
- Sampling strategies and log costmiddle
- PII redaction and log injectionsenior
- Trace context propagation in logssenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- OTel signals, Semantic Conventions, and the OTLP wire formatmiddle
- Auto-instrumentation and manual spans: the 80/20 of OTelmiddle
- The OTel Collector: receivers, processors, exporters, and deployment patternsmiddle
- Sampling strategies: head, tail, and parent-basedmiddle
- Vendor neutrality, eBPF instrumentation, the Operator, and browser/serverless OTelsenior
- Operating the OTel Collector: reliability, version skew, failure modes, and governancesenior
- RED and USE: two checklists, one triage disciplinejunior
- Instrumenting RED in Prometheus: counters, histograms, and cardinality disciplinemiddle
- USE on Linux: CPU, memory, disk, network, and PSImiddle
- Golden signals, dashboard layout, and service mesh auto-REDmiddle
- Cardinality as a cost driver: labels, PII, exemplars, and samplingmiddle
- Native histograms, SLO tie-in, and production failure patternsmiddle
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Choosing SLIs and SLO targets: ratios, not feelingsmiddle
- Multi-window multi-burn-rate alerting: why AND beats ORmiddle
- Error budget policy, latency SLOs, and composite journeysmiddle
- Iceberg SLIs, composite SLO math, and SLA vs SLOsenior
- Production SLO failures, self-observability, security, and the big picturesenior
- Flame graphs: reading the picture that shows where time goesjunior
- Sampling vs instrumentation profiling: why 99 Hz wins in productionmiddle
- Profile types: CPU, memory, off-CPU, mutex — which one to reach formiddle
- Continuous profiling: always-on flame graphs with eBPF and trace-id correlationmiddle
- How flame graphs are built from samples, and the production workflows that use themmiddle
- Linux perf, eBPF internals, PGO, and the limits of samplingsenior
- Profiling in production: security, war stories, OTel profiles, and the infrastructure designsenior
- The debugging funnel: SLO → RED → trace → profilejunior
- OTel architecture: one SDK, four signals, one wire formatmiddle
- Cost discipline: keeping observability under 5% of infra spendmiddle
- The incident loop: from pager to postmortem to preventionmiddle
- Scale, security, and the ROI of observable systemssenior
- Why profile first: measure where time actually goesjunior
- Amdahl''''s law and self-time: the ceiling on every speedup you can shipmiddle
- The measurement loop: microbench, macrobench, prod profile, observer effectmiddle
- Reading flame graphs: shapes, per-language profilers, and the 60-second scanmiddle
- Statistical baselines: why one run is not a measurementmiddle
- Profiler history and microbenchmark pitfalls: Knuth to GWPsenior
- Hardware counters, cold-start profiles, and profile securitysenior
- Continuous profiling at scale: costs, CI gates, trace correlation, and anti-patternssenior
- What makes a hot path: symptom vs causejunior
- Five shapes of hotspot: CPU, alloc, cache, lock, syscallmiddle
- Reading parent and child chains: where to apply the fixmiddle
- JIT deopt, the fix-and-verify loop, and PR-time profilingmiddle
- Hardware counters and Intel TMA: sub-category diagnosissenior
- False sharing and native-bridge hot pathssenior
- Hot paths in production: security, tail latency, and tooling lineagesenior
- Memory hierarchy: why the same O(N) loop can be 17x slowerjunior
- Row-major vs column-major: access order and the 9x gapjunior
- Cache lines, struct layout, and false sharingmiddle
- Branch prediction and branchless codemiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Hardware prefetcher, TLB, and memory-level parallelismsenior
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC basics: what the runtime taxes you forjunior
- GC algorithms: generational, concurrent, and per-runtimemiddle
- GC tradeoffs: pause, throughput, heap — and object poolingmiddle
- GC tuning: pacing, heap shape, and allocation observabilitymiddle
- GC internals: tri-color invariant, write barriers, and per-runtime deep-divessenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- N+1: one logical operation, many round-tripsjunior
- Fix families: JOIN, IN, preload, and DataLoadermiddle
- Detecting N+1: query logs, APM traces, and CI gatesmiddle
- DataLoader: batching across resolver treesmiddle
- Cross-protocol N+1: HTTP fan-out and Redis MGETmiddle
- N+1 at scale: pool exhaustion, plan changes, and denormalisationsenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- What a bundle actually costs: download, parse, compile, executejunior
- Core Web Vitals: LCP, INP, and CLSmiddle
- Code splitting: route-level, component-level, vendor splittingmiddle
- Tree shaking and compression: removing what you don''''t usemiddle
- Third-party scripts: the silent budget killermiddle
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- ID token validation and JWKS cache managementmiddle
- Refresh token rotation and scope-based least privilegemiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior