monitors network traffic in the home- or enterprise network
identifies IOT- and other devices
dynamically applies device-specific ACLs to the traffic of the identified devices (currently under development)
Its goal is to identify and stop rogue traffic to and from devices that have been breached; for example when a device is being used in a DDOS attack. The ACLs are downloaded from the cloud and are generated based on traffic stats uploaded anonymously by the Noddos client by users who have opted in to these uploads.
You can install the Noddos client on routers running Lede 17.01.2. As soon as this openwrt/packages PR has been merged, you will be able to install it with the Luci software download UI. Until that time, you can manually download the needed packages from the Noddos github releases page. The installation of the LUCI integration is currently manual and documented on the main Noddos github page.
I'm looking for beta testers to install this application and opt-in to the data upload feature so we can expand the database of known devices and start creating a history of traffic flows. The application consumes 1-2% CPU on my Linksys WRT1200AC and eats about 9MB of DRAM. You can reach out to me either through this thread or through the communication tools listed on the Noddos community page.
Noddos is available as package from https://noddos.io/dist/lede/releases.
Select the LEDE release and architecture of your HGW. You can select either
the master version (latest build) or the devel version (v0.4.1)
Do enable uploads with:
uci set noddos.@noddos[0].upload='1'
uci commit
so I can help you identify your devices that are not yet in the device
profile database
I have been able to improve the installation instructions, making the
download of the needed packages and the installation of the Luci UI pages a
lot easier. Have a look at:
With the release of Lede 17.01.3, you'll be able to install Noddos from the
Luci opkg web interface. I've now also submitted the PR to add the Noddos
Luci pages to the upcoming release to make the installation procedure a
point and click experience.
Do let me know if you run in to any issues, I'll be happy to help.
You can download Noddos v0.5.2 from the Noddos distribution site. The packages for the various architectures for release 17.01.3 are currently being built and uploaded. Packages for the other releases are already available.
There are only bug fixes in this minor release:
endless loop in parsing specific mDNS TXT record
reduce logging when running without debugging enabled
add br-lan to default list of LAN interfaces for LEDE routers
Thanks for giving Noddos a try. You are one of the first people to try it
so it is likely you run in to issues I haven't been able to anticipate.
How did you install Noddos? Using the Luci UI with the standard
distribution feeds? Did you also install luci-app-noddos package to get the
web pages added to Luci? If not, I recommend that you install that as well.
With that package, you can go to the Status -> Noddos Clients page and to
the Network -> Noddos Client Tracking pages (do enable uploads, I need data
to crunch!!). With our without the luci-app-noddos package, you can ssh to
your router and have a look at the following raw data files to see what has
been collected: /etc/noddos/DeviceMatches.json and
/var/lib/noddos/DeviceDump.json .
As described in the linked bug, I believe that dnscrypt does not allow sharing the UDP:5353 port with other applications. Noddos and Avahi have no issues both listening to that port at the same time.
I've been using this for around 3 months. Something I noticed is that I've been finding strange devices unrelated to my LAN on the Noddos client list. I did some research about my network and came to the conclusion that the Noddos client is "reaching out of the LAN" instead of "reaching into it": all of the strange devices I found are modems from neighbors. The Noddos client itself started showing their names in the "comment" section: starts with either "CPE" or "MTA" and the following combination of numbers and letters is quite possibly the MAC address. I understand why this happens, though: from the router's perspective, these are devices it can "see" because my own modem/MTA is in bridge mode and therefore offloads everything to the router. What I don't know is how to stop this behavior as it possibly poisons the data the Noddos servers receive. Any suggestions?
The /etc/init.d/noddos script has logic to figure out what the LAN and the WAN interface is. It should only listen on the LAN interface but that is not what it appears to be doing in your setup
CONFFILE=/var/etc/noddos.yml
cp /etc/noddos/noddos.yml-base $CONFFILE
LANINT=$(uci get network.lan.ifname)
LANBRIDGE=$(uci get network.lan.type)
echo 'LanInterfaces:' >> $CONFFILE
if [ "${LANBRIDGE}" == "bridge" ]; then
echo " - br-lan" >> $CONFFILE
fi
echo " - ${LANINT}" >> $CONFFILE
echo '' >>$CONFFILE
WANINT=$(uci get network.wan.ifname)
echo 'WanInterfaces:' >> $CONFFILE
echo " - ${WANINT}" >> $CONFFILE
echo '' >>$CONFFILE
Can you manually run '
uci get network.lan.ifname' and ' uci get network.wan.ifname and share the output with me?
root@OpenWRT:~# uci get network.lan.ifname
eth1.1
root@OpenWRT:~# uci get network.wan.ifname
eth0.2
/var/etc/noddos.yml contains these lines:
# Enable debug output for the main Noddos event handler, if debugging is
# enabled through the command line.
#DebugEvents: false
LanInterfaces:
- br-lan
- eth1.1
WanInterfaces:
- eth0.2
As I build my own firmware images based on master branch every 2 weeks, all of these settings are carried over from previous sysupgrades.