User Tools

Site Tools


This is an old revision of the document!


What we collect

On the router there's running few programs in background if you allow them, which collects data and then it is sending them to server.

Ucollect

Ucollect is small daemon for collecting and analyzing network data and provides plugin for doing analyzes.

Ucollect watches packets on interface to internet (WAN) and researching their headers (metadata?) We collect only important informations in headers (for example: protocol or address) and we do not collect data. We're doing analyzes only on remote addresses (It means that collected data doesn't contain user IP address)

Base statistics

Ucollect splits packets into categories (for example: categories all packets, incoming, TCP, …) In each category we continuously determined the number of packets (?) and their total size. These data are send to our server.

These statistics help us monitor common usage of the internet; for example: how much IPv6 is expanding or ratio between download and upload

After 10 days we aggregated data to small groups of routers and we can't determine from who (= from which router) do we have these data. Data in original form are deleted.

Statistics PCAP

Interface PCAP is for examine packets passing through network card, which provide statistics - how many packets was made available by the application and how much it was thrown away, because network card was too busy to handle it.

These statistics are send to server and serves to check health or performance status of ucollect itself.

Detecting anomalies

Traffic is splitted to compartments (hashing packets for example by remote IP address) Size of these compartments are send to server, where they're merge together via the router group (?).

–Not sure about this paragraph–

On these aggregate sizes (?) are detected anomalies (compartments which are really different from expected size are compared to other compartments and their history of size). If we would anomaly, server request routers for keys (IP addresses) which matches given compartners.

This should help us to reveal unexpected behaviour caused by widespread malware ( for example sending SPAM from attacked computers or DDoS attacks)

Data are generated in aggregated form - so we can't determine on which devices anomaly was created.

Nikola

Nikola analyzes logs from firewall (IPTablets). Nikola sends records of packets, which are caught by firewall. Usually it is tries from outside to connect to non-existing services (for example: brute-forcing your password on SSH or scanning ports)

After 10 days we aggregated (?) data - so after this period we can't determine from who are they and in original form they're deleted.

Logsend

It sends logs from automatic updates firmware from your router and also from collecting software (?). This helps us to find any problem with overall health of your router.

Data are deleted after 10 days.