How can I patch a DDoS attack with a pcap?
I recently made a VPN hosted off of OVH, I have TCPDump installed but I dont know how to patch the pcap.
Asked: 2021-04-11 19:38:47 +0000
Seen: 636 times
Last updated: Apr 11 '21
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
Your question doesn't make sense. A pcap is a file containing captured traffic, it can't be used to patch anything. Maybe there's a language problem, can you maybe rephrase the question?
it has a DDoS attack captured but I dont know how to patch the attack by using hex strings. Which I don't know how to get the hex strings
What do you mean by "patch the attack"? "Patch" is generally used to mean something you do to a program, not to a pattern of network traffic trying to overload your machine, which is what a network DoS is, Do you mean that you want to search through the pcap to find the traffic that's attacking your machine?
It seems you have a lot of skills to learn. Start by reading the PCAp file and understanding the protocol. Then learn you IPD/IDS system to understand how virtual patching works and how you can creat your own virtual patches. My guess is that you need to invest something worth of a month in to this process of learning the protocols and learning how to use the right tools. There is now quick fix here as it will only be a stopgap for 1 very specific type of hole
Cant you get the hex string to an attack and patch the attack through IP Tables? Im just wondering how I get the hex string and how to drop traffic with the same hex string with IP Tables. I also want to know how to find the specific IPs coming from the DDoS attack through a pcap that captured a DDoS attack
If you're dropping packets with IP tables, the DDoS attack is already hitting that system, you need to take action further upstream.
Do you think the hex strings in all the different DDoS packets will be the same, making filtering easy? Very unlikely, that's the whole point of a DDoS.
Wireshark will show you the IP's in the capture with the Statistics- > Endpoints dialog. As they're most likely spoofed, it won't get you far.
Well I still want to get the hex string to drop the packets with IP tables so if someone who DDoSed it tries to DDoS it again with the same method then it wont work.
Hex string of what, the whole packet, or a portion of it? Note that it's likely that every packet is different, so there is no single hex string for that.