Filtering on the TCP Handshake Process

Some firewalls and filtering routers can be set to deny any incoming TCP handshake attempts. In this manner, a company can ensure that no one is connecting to services that reside on the inside of the firewall or filtering router.

In this case, we are specifically interested in incoming packets that have the SYN bit set to 1. Earlier in this chapter we looked at how to filter on a single bit set. Figure 39 shows what this pattern looks like.

Figure 39: The TCP flag setting 02 is equivalent to the SYN bit setting of 1.

In this situation, however, we need to place the analyzer directly on the inside of the firewall or filtering router and look for packets coming through that firewall or filtering router from an outside network.

We need to add a pattern that looks for traffic from the outside (not from our network - we’ll let our inside folks connect to these services. Together, you should be able to capture all handshake packets that do not originate on your network.

It’s pretty easy to build a filter on your IP network addresses when they end on a nice byte boundary. For example, if your network masks are 255.0.0.0, 255.255.0.0. or 255.255.255.0, it is easy to build network filters. Figure 40 shows a simple network filter for traffic from network 10.2.0.0.

Figure 40: Although I named the filter using the entire network address 10.2.0.0, my filter is only based on the first two bytes of the address (the true network portion).

Notice that this filter is only based on two bytes -- if we define any further values of the address, we will be pointing to a specific group of addresses within the 10.2 network. If we fill out four bytes of information, we would be filtering on only a single address. If, however, we filter on the value 0a.02.00.00 (10.2.0.0), we should not see any traffic at all... no one should use the general network address as their source address when communicating on the network, right?

Now it is time to put together the SYN pattern and your network filter using both the AND and the NOT operands. We are looking specifically for traffic that has the SYN bit set to 1, but does NOT have a source IP address starting with 10.2. Figure 41 shows the summary window indicating how this filter is put together.

Figure 41: The top summary line indicates that we are going to catch packets with the flag setting of 02 (SYN) and NOT the IP source address value starting with 10.2.

Not too tough, eh? You can use this same type of filter to look for any traffic that should not be allowed on your network from the outside world. Why not build a nice large filter with all the patterns that are set in your firewall?