Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Change of IP in case of event X
« previous
next »
Print
Pages: [
1
]
Author
Topic: Change of IP in case of event X (Read 1034 times)
pille
Newbie
Posts: 9
Karma: 0
Change of IP in case of event X
«
on:
February 15, 2024, 10:31:46 am »
hello all
i am not sure its the right category.
i want to change the Public IP in case of an attack
means: i have multiple IPs assigned to myself. the main IP, lets suppose 1.1.1.1 and second IP 2.2.2.2, which is a webservice behind (for instance).
now, there are a coulple of cenarios
1. port scan, usually coming from 1 ip and scam many ports
2. DDOS attack - many different IPs overflood the webservice with requests.
1. what can i do against it ? or what are you doing against portscans ?
2. i want in case of an DDOS attack to change the IP from 1.1.1.1 to 2.2.2.2. the "non_configured" IPs on the opnsense will be than handled and blocked from the ISP.
how can i configure the ip change.
Logged
meyergru
Hero Member
Posts: 1710
Karma: 167
IT Aficionado
Re: Change of IP in case of event X
«
Reply #1 on:
February 15, 2024, 02:11:12 pm »
Have you looked at crowdsec and geoip blocking? If you know your adversaries, you can even whitelist their ASN.
I do not need any chinese or russian IPs connecting to my services, so there...
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
pille
Newbie
Posts: 9
Karma: 0
Re: Change of IP in case of event X
«
Reply #2 on:
February 15, 2024, 03:11:47 pm »
crowdsec - thx, cool option. i use geoblocking
the point of changing IP is:
if the opnsense is configured or IP 1.1.1.1 the service providers router/firewall routes the traffic to the opnsense. if ip changes to 2.2.2.2. the "attack" still on the 1.1.1.1, but the Service provider has now no route and the traffic doesnt pop up on the opn. so the traffic will be eliminated beforehand.
the point of this: if the attack is large enough, it brings down the firewall/service behind.
soo, the goal is: recognize patterns and if match, change the IP and the traffic gets not routed to my firewall. therefore a DDOS attack will be minimized. is the though correct ?
how many queries could an opnsense handle ? is there any calculation ?
Logged
meyergru
Hero Member
Posts: 1710
Karma: 167
IT Aficionado
Re: Change of IP in case of event X
«
Reply #3 on:
February 15, 2024, 03:53:52 pm »
I get the idea, however the question is how and why that DOS attack is carried out. Your approach might work for an attack that targets your specific IP, but who would spend ressources on such a thing?
If, on the other hand, you have named services that can be accessed via DNS, you would have to change that along with the IP, so after a short while, the new IP would be the target again.
If you do not have any open services, you could simply block all incoming ports and ICMP and thus would not be detectable other than for outgoing connections, and then again, why would anybody attack an IP that does not answer and of which you cannot be sure you hit anything at all?
Apart from that, I think you would have to monitor the event yourself and then script something to change the IP of the WAN interface.
«
Last Edit: February 15, 2024, 03:58:34 pm by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
pille
Newbie
Posts: 9
Karma: 0
Re: Change of IP in case of event X
«
Reply #4 on:
February 15, 2024, 10:10:03 pm »
---- why would anybody attack an IP that does not answer and of which you cannot be sure you hit anything at all?
----
you are right. makes perfectly sense. thx for your input.
Logged
JakaylaLee
Newbie
Posts: 6
Karma: 0
Re: Change of IP in case of event X
«
Reply #5 on:
February 17, 2024, 01:18:39 am »
One option is mitigating PortScans implement a firewall or intrusion detection/prevention system (IDS/IPS) to detect and block port scan attempts. These systems can monitor network traffic and automatically block IP addresses that are scanning multiple ports. Configure rate limiting rules on your firewall to limit the number of port scan attempts from a single IP address within a certain time frame. Use port knocking techniques to dynamically open ports only when specific sequences of connection attempts are made, effectively hiding the ports from casual scans. I still think that it's too much and such a scenario is not gonna happen anywhere in the future.
Logged
meyergru
Hero Member
Posts: 1710
Karma: 167
IT Aficionado
Re: Change of IP in case of event X
«
Reply #6 on:
February 17, 2024, 09:57:46 am »
That is exactly what Crowdsec does. Plus it registers such IPs in a cloud database which can then be used by others to block these IPs at once.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Change of IP in case of event X