The Noddos client monitors network traffic in the home- or enterprise network, identifies with IOT devices are present and dynamically applies device-specific ACLs to the traffic of the IOT devices to stop a device from sending rogue traffic, for example when being used in a DDOS attack. The ACLs are downloaded from the cloud and are generated based on traffic stats uploaded anonymously by the Noddos client. You can install the Noddos client on Linux-based (DIY) routers and firewalls and real soon now on Home Gateways running Lede.
* Noddos runs as a daemon to listen to DHCP, DNS and SSDP traffic on the home network. It reads DHCP and DNS data from the dnsmasq daemon that should be configured to log extended DNS and DHCP data. If incoming SSDP data has a ‘Location’ header than nodlisten will call the URL contained in the header to collect additional device information. Using the Linux Netfilter functionality, it tracks network flows in real time. Noddos reads the DeviceProfiles file that specifies the matching conditions and traffic filtering rules. Every hour, Noddos matches discovered devices with the device profile database to identify known devices. Noddos can be configured upload traffic statistics for identified devices and device attributes for devices it not yet has been able to match to a device profile. There is a configuration file that can be used to specify a.o. whether traffic and device statistics should be uploaded and whether or not they should be uploaded anonymously. The Noddos process should be started at boot time.
* The ‘getdeviceprofiles.sh’ script is used to securely download the list of Device Profiles over HTTPS from the Noddos web site, check the digital signature of the file using a Noddos certificate and makes the file available to the Noddos client. It needs access to the public cert that was used to sign the file. This script should be called at least once per day from cron.
+ Linux v2.6.13 or later (as inotify support is needed)
+ openssl command-line tool
+ wget (preferred because of conditional GET support) or curl
+ gzip or bzip2 or brotli (latter is preferred due to superior compression rate)
sudo apt install libssl-dev libnetfilter-conntrack-dev libcurl4-openssl-dev
git clone https://github.com/noddos/noddos && cd noddos/src
# Install openssl
sudo apt-get install openssl libcurl3 brotli wget ssl libnetfilter-conntrack3 ca-certificates
sudo adduser --system --home /var/lib/noddos --shell /bin/false \
--quiet --group noddos
sudo mkdir /etc/noddos
sudo cp noddos.conf-sample /etc/noddos.conf
sudo cp noddosconfig.pem /etc/noddos
openssl req -x509 -nodes -subj '/CN=noddosapiclient' -newkey rsa:2048 -days 3650 \
-keyout /etc/noddos/noddosapiclient.key -out /etc/noddos/noddosapiclient.pem
### edit /etc/noddos.conf, for one to whitelist the IP addresses of the interfaces of your router
sudo chown -R root:root /etc/noddos
chgrp noddos /etc/noddos/noddosapiclient.key
chmod 640 /etc/noddos/noddosapiclient.key
# Directory where DeviceProfiles.json will be downloaded to
chown noddos:noddos /var/lib/noddos
install noddos -o 0 -g 0 -s noddos /usr/sbin
install noddos -o 0 -g 0 ../tools/getdeviceprofiles.sh /usr/sbin
# Install a cronjob to do this frequently (please pick a randon time of day instead of 3:23am), ie
23 */3 * * * /usr/sbin/getdeviceprofiles.sh
# Noddos needs to be started as root as it will need to get Linux
# firewall connection state changes. It will drop to an unprivileged
# user/group after that has been set up.