Change of IP in case of event X

[pille]

hello all

i am not sure its the right category.

i want to change the Public IP in case of an attack

means: i have multiple IPs assigned to myself. the main IP, lets suppose 1.1.1.1 and second IP 2.2.2.2, which is a webservice behind (for instance).
now, there are a coulple of cenarios
1. port scan, usually coming from 1 ip and scam many ports
2. DDOS attack - many different IPs overflood the webservice with requests.

1. what can i do against it ? or what are you doing against portscans ?
2. i want in case of an DDOS attack to change the IP from 1.1.1.1 to 2.2.2.2. the "non_configured" IPs on the opnsense will be than handled and blocked from the ISP.

how can i configure the ip change.

[meyergru]

Have you looked at crowdsec and geoip blocking? If you know your adversaries, you can even whitelist their ASN.

I do not need any chinese or russian IPs connecting to my services, so there...

[pille]

crowdsec - thx, cool option. i use geoblocking

the point of changing IP is:
if the opnsense is configured or IP 1.1.1.1 the service providers router/firewall routes the traffic to the opnsense. if ip changes to 2.2.2.2. the "attack" still on the 1.1.1.1, but the Service provider has now no route and the traffic doesnt pop up on the opn. so the traffic will be eliminated beforehand.
the point of this: if the attack is large enough, it brings down the firewall/service behind.

soo, the goal is: recognize patterns and if match, change the IP and the traffic gets not routed to my firewall. therefore a DDOS attack will be minimized. is the though correct ?

how many queries could an opnsense handle ? is there any calculation ?

[meyergru]

I get the idea, however the question is how and why that DOS attack is carried out. Your approach might work for an attack that targets your specific IP, but who would spend ressources on such a thing?

If, on the other hand, you have named services that can be accessed via DNS, you would have to change that along with the IP, so after a short while, the new IP would be the target again.

If you do not have any open services, you could simply block all incoming ports and ICMP and thus would not be detectable other than for outgoing connections, and then again, why would anybody attack an IP that does not answer and of which you cannot be sure you hit anything at all?

Apart from that, I think you would have to monitor the event yourself and then script something to change the IP of the WAN interface.

[pille]

---- why would anybody attack an IP that does not answer and of which you cannot be sure you hit anything at all?
----
you are right. makes perfectly sense. thx for your input.

[JakaylaLee]

One option is mitigating PortScans implement a firewall or intrusion detection/prevention system (IDS/IPS) to detect and block port scan attempts. These systems can monitor network traffic and automatically block IP addresses that are scanning multiple ports. Configure rate limiting rules on your firewall to limit the number of port scan attempts from a single IP address within a certain time frame. Use port knocking techniques to dynamically open ports only when specific sequences of connection attempts are made, effectively hiding the ports from casual scans. I still think that it's too much and such a scenario is not gonna happen anywhere in the future.

[meyergru]

That is exactly what Crowdsec does. Plus it registers such IPs in a cloud database which can then be used by others to block these IPs at once.