How can I patch a DDoS attack with a pcap?
I recently made a VPN hosted off of OVH, I have TCPDump installed but I dont know how to patch the pcap.
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2021-04-11 19:38:47 +0000
Seen: 631 times
Last updated: Apr 11 '21
I captured what I believe is an unpatchable attack [closed]
What is the syntax for wireshark custom column
Tshark output file problem, saving to csv or txt
How to convert Pcapng file to pcap file by Tshark
Can I create a capture filter on a pcap file
How can I extract parameters from pcap
Your question doesn't make sense. A pcap is a file containing captured traffic, it can't be used to patch anything. Maybe there's a language problem, can you maybe rephrase the question?
it has a DDoS attack captured but I dont know how to patch the attack by using hex strings. Which I don't know how to get the hex strings
What do you mean by "patch the attack"? "Patch" is generally used to mean something you do to a program, not to a pattern of network traffic trying to overload your machine, which is what a network DoS is, Do you mean that you want to search through the pcap to find the traffic that's attacking your machine?
It seems you have a lot of skills to learn. Start by reading the PCAp file and understanding the protocol. Then learn you IPD/IDS system to understand how virtual patching works and how you can creat your own virtual patches. My guess is that you need to invest something worth of a month in to this process of learning the protocols and learning how to use the right tools. There is now quick fix here as it will only be a stopgap for 1 very specific type of hole
Cant you get the hex string to an attack and patch the attack through IP Tables? Im just wondering how I get the hex string and how to drop traffic with the same hex string with IP Tables. I also want to know how to find the specific IPs coming from the DDoS attack through a pcap that captured a DDoS attack
If you're dropping packets with IP tables, the DDoS attack is already hitting that system, you need to take action further upstream.
Do you think the hex strings in all the different DDoS packets will be the same, making filtering easy? Very unlikely, that's the whole point of a DDoS.
Wireshark will show you the IP's in the capture with the Statistics- > Endpoints dialog. As they're most likely spoofed, it won't get you far.