Introducing Noddos, a device-aware firewall

The Noddos client:

  • monitors network traffic in the home- or enterprise network
  • identifies IOT- and other devices
  • dynamically applies device-specific ACLs to the traffic of the identified devices (currently under development)

Its goal is to identify and stop rogue traffic to and from devices that have been breached; for example when a device is being used in a DDOS attack. The ACLs are downloaded from the cloud and are generated based on traffic stats uploaded anonymously by the Noddos client by users who have opted in to these uploads.

You can install the Noddos client on routers running Lede 17.01.2. As soon as this openwrt/packages PR has been merged, you will be able to install it with the Luci software download UI. Until that time, you can manually download the needed packages from the Noddos github releases page. The installation of the LUCI integration is currently manual and documented on the main Noddos github page.

I'm looking for beta testers to install this application and opt-in to the data upload feature so we can expand the database of known devices and start creating a history of traffic flows. The application consumes 1-2% CPU on my Linksys WRT1200AC and eats about 9MB of DRAM. You can reach out to me either through this thread or through the communication tools listed on the Noddos community page.

2 Likes

I believe that the currently posted wget commands for DYI build instructions download HTML files instead of Makefiles. What worked for me is below:

mkdir -p noddosbuild/package/{noddos,libtins}
cd noddosbuild
wget https://raw.githubusercontent.com/noddos/noddos/master/lede/packages/noddos/Makefile -O package/noddos/Makefile
wget https://raw.githubusercontent.com/noddos/noddos/master/lede/packages/libtins/Makefile  -O package/libtins/Makefile
ROOTDIR=$PWD

then in the SDK directory:

echo "src-link custom $ROOTDIR/package" >>feeds.conf.default
make menuconfig
./scripts/feeds update -a
./scripts/feeds install libtins
./scripts/feeds install noddos
make package/feeds/custom/noddos/{clean,compile} V=99

The last command might take a while since it'd compile all of dependencies as well.

1 Like

Installed this on my Netgear X4S.
How do I check if its working?

Thanks for giving the software a try! If you installed noddos-0.4.1_1 then
you have two options:

  • Install Noddos Luci web-ui as per the instructions on
    https://github.com/noddos/noddos
  • kill -SIGUSR1 $(cat /var/lib/noddos/noddos.pid); cat
    /var/lib/noddos/DeviceDump.json; cat /etc/noddos/DeviceMatches.json

Noddos is available as package from https://noddos.io/dist/lede/releases.
Select the LEDE release and architecture of your HGW. You can select either
the master version (latest build) or the devel version (v0.4.1)

Do enable uploads with:
uci set noddos.@noddos[0].upload='1'
uci commit

so I can help you identify your devices that are not yet in the device
profile database

1 Like

I have been able to improve the installation instructions, making the
download of the needed packages and the installation of the Luci UI pages a
lot easier. Have a look at:


. With the web interface you can visit
https://192.168.1.1/cgi-bin/luci/admin/status/noddos to view the status of
the device discovery.

With the release of Lede 17.01.3, you'll be able to install Noddos from the
Luci opkg web interface. I've now also submitted the PR to add the Noddos
Luci pages to the upcoming release to make the installation procedure a
point and click experience.

Do let me know if you run in to any issues, I'll be happy to help.

  • Steven
1 Like

@StevenHessing got it friend. :+1:

Installed this package and only get ALOT of errors....

Tue Oct  3 20:12:50 2017 uucp.debug /usr/sbin/noddos[8939]: InterfaceMap: constructing instance
Tue Oct  3 20:12:50 2017 uucp.debug /usr/sbin/noddos[8939]: InterfaceMap: loading interfaces
Tue Oct  3 20:12:50 2017 uucp.debug /usr/sbin/noddos[8939]: InterfaceMap: Looking up interface eth0.1
Tue Oct  3 20:12:50 2017 uucp.debug /usr/sbin/noddos[8939]: Interface: eth0.1 -> Index 8
Tue Oct  3 20:12:50 2017 uucp.debug /usr/sbin/noddos[8939]: InterfaceMap: Looking up interface eth0.2
Tue Oct  3 20:12:50 2017 uucp.debug /usr/sbin/noddos[8939]: Interface: eth0.2 -> Index 9
Tue Oct  3 20:12:50 2017 uucp.warn /usr/sbin/noddos[8939]: HostCache: Couldn't open /var/lib/noddos/DnsCache.json for reading
Tue Oct  3 20:12:50 2017 uucp.err /usr/sbin/noddos[8939]: Adding Identifier
Tue Oct  3 20:12:50 2017 uucp.debug /usr/sbin/noddos[8939]: DeviceProfile: No whitelist found for profile f9e3b2c8-cef9-4d9c-a3d6-b3812f8446e5
Tue Oct  3 20:12:50 2017 uucp.err /usr/sbin/noddos[8939]: Adding Identifier
Tue Oct  3 20:12:50 2017 uucp.debug /usr/sbin/noddos[8939]: DeviceProfile: No whitelist found for profile 4ebc1608-d662-4384-b2b6-dcb6aedabaac
Tue Oct  3 20:12:50 2017 uucp.err /usr/sbin/noddos[8939]: Adding Identifier
Tue Oct  3 20:12:50 2017 uucp.debug /usr/sbin/noddos[8939]: DeviceProfile: No whitelist found for profile f574b260-6949-4a5b-b809-b13f1b9a2fd5
Tue Oct  3 20:12:50 2017 uucp.err /usr/sbin/noddos[8939]: Adding Identifier

`[cut here]

You can download Noddos v0.5.2 from the Noddos distribution site. The packages for the various architectures for release 17.01.3 are currently being built and uploaded. Packages for the other releases are already available.

There are only bug fixes in this minor release:

  • endless loop in parsing specific mDNS TXT record
  • reduce logging when running without debugging enabled
  • add br-lan to default list of LAN interfaces for LEDE routers
1 Like

I never got this working!
Testing with LEDE 17.01.4, NODDOS ony flooded my syslog, but nothing is displayed.How can i get this app working?

Thu Oct 26 10:29:32 2017 uucp.debug /usr/sbin/noddos[4305]: InterfaceMap: constructing instance
Thu Oct 26 10:29:32 2017 uucp.debug /usr/sbin/noddos[4305]: InterfaceMap: loading interfaces
Thu Oct 26 10:29:32 2017 uucp.debug /usr/sbin/noddos[4305]: InterfaceMap: Looking up interface eth0.1
Thu Oct 26 10:29:32 2017 uucp.debug /usr/sbin/noddos[4305]: Interface: eth0.1 -> Index 8
Thu Oct 26 10:29:32 2017 uucp.debug /usr/sbin/noddos[4305]: InterfaceMap: Looking up interface eth0.2
Thu Oct 26 10:29:32 2017 uucp.debug /usr/sbin/noddos[4305]: Interface: eth0.2 -> Index 9
Thu Oct 26 10:29:32 2017 uucp.warn /usr/sbin/noddos[4305]: HostCache: Couldn't open /var/lib/noddos/DnsCache.json for reading
Thu Oct 26 10:29:32 2017 uucp.info /usr/sbin/noddos[4305]: HostCache: DeviceMatches read: 0
uucp.notice /usr/sbin/noddos[3049]: HostCache: Got invalid ARP entry 00:00:00:00:00:00 for x.x.x.x

Hi Steven. Would this package also work on openwrt by chance?

No, unfortunately not. The c++ version in the openwrt 15.01 sdk couldn't
compile noddos when i tried.

1 Like

Hi Guenther,

Thanks for giving Noddos a try. You are one of the first people to try it
so it is likely you run in to issues I haven't been able to anticipate.

How did you install Noddos? Using the Luci UI with the standard
distribution feeds? Did you also install luci-app-noddos package to get the
web pages added to Luci? If not, I recommend that you install that as well.
With that package, you can go to the Status -> Noddos Clients page and to
the Network -> Noddos Client Tracking pages (do enable uploads, I need data
to crunch!!). With our without the luci-app-noddos package, you can ssh to
your router and have a look at the following raw data files to see what has
been collected: /etc/noddos/DeviceMatches.json and
/var/lib/noddos/DeviceDump.json .

More info is available from https://github.com/noddos/noddos

Please do let me know if you get things working or not. Issue reports are
very welcome and I'll be happy to help out to get things up and running.

  • Steven

Thanks for your reply, its similar to Bug Report.

Using LEDE 17.01.04, installing NODDOS & NODDOS-Luci over Luci-Packages.

As described in the linked bug, I believe that dnscrypt does not allow sharing the UDP:5353 port with other applications. Noddos and Avahi have no issues both listening to that port at the same time.

I've been using this for around 3 months. Something I noticed is that I've been finding strange devices unrelated to my LAN on the Noddos client list. I did some research about my network and came to the conclusion that the Noddos client is "reaching out of the LAN" instead of "reaching into it": all of the strange devices I found are modems from neighbors. The Noddos client itself started showing their names in the "comment" section: starts with either "CPE" or "MTA" and the following combination of numbers and letters is quite possibly the MAC address. I understand why this happens, though: from the router's perspective, these are devices it can "see" because my own modem/MTA is in bridge mode and therefore offloads everything to the router. What I don't know is how to stop this behavior as it possibly poisons the data the Noddos servers receive. Any suggestions?

It being a generic question on a bit of software not widely deployed, you might try

https://www.noddos.io/community/index.html

Now that Lede and OpenWrt have merged, I would certainly expect so but haven't tried it.

The /etc/init.d/noddos script has logic to figure out what the LAN and the WAN interface is. It should only listen on the LAN interface but that is not what it appears to be doing in your setup

CONFFILE=/var/etc/noddos.yml

cp /etc/noddos/noddos.yml-base $CONFFILE

LANINT=$(uci get network.lan.ifname)

LANBRIDGE=$(uci get network.lan.type)

echo 'LanInterfaces:' >> $CONFFILE

if [ "${LANBRIDGE}" == "bridge" ]; then

echo " - br-lan" >> $CONFFILE

fi

echo " - ${LANINT}" >> $CONFFILE

echo '' >>$CONFFILE

WANINT=$(uci get network.wan.ifname)

echo 'WanInterfaces:' >> $CONFFILE

echo " - ${WANINT}" >> $CONFFILE

echo '' >>$CONFFILE

Can you manually run '
uci get network.lan.ifname' and ' uci get network.wan.ifname and share the output with me?

root@OpenWRT:~# uci get network.lan.ifname
eth1.1
root@OpenWRT:~# uci get network.wan.ifname
eth0.2

/var/etc/noddos.yml contains these lines:

# Enable debug output for the main Noddos event handler, if debugging is
# enabled through the command line.
#DebugEvents: false
LanInterfaces:
  - br-lan
  - eth1.1

WanInterfaces:
  - eth0.2

As I build my own firmware images based on master branch every 2 weeks, all of these settings are carried over from previous sysupgrades.