Deep packet inspection, which is also known as DPI, information extraction, IX, or complete packet inspection, is a type of network packet filtering. Deep packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point, weeding out any non-compliance to protocol, spam, viruses, intrusions, and any other defined criteria to block the packet from passing through the inspection point.
Deep packet inspection is also used to decide if a particular packet is redirected to another destination. In short, deep packet inspection is able to locate, detect, categorize, block, or reroute packets that have specific code or data payloads that are not detected, located, categorized, blocked, or redirected by conventional packet filtering. Unlike plain packet filtering, deep packet inspection goes beyond examining packet headers.
HOW DEEP PACKET INSPECTION WORKS?
Deep packet inspection is a form of packet filtering usually carried out as a function of your firewall. It is applied at the Open Systems Interconnection’s application layer.
Deep packet inspection evaluates the contents of a packet that is going through a checkpoint. Using rules that are assigned by you, your Internet service provider, or the network or systems administrator, deep packet inspection determines what to do with these packets in real time.
Deep packet inspection is able to check the contents of these packets and then figure out where it came from, such as the service or application that sent it. In addition, it can work with filters in order to find and redirect network traffic from an online service, such as Twitter or Facebook, or from a particular IP address.
DPI VS. CONVENTIONAL PACKET FILTERING
Conventional packet filtering only reads the header information of each packet. This was a basic approach that was less sophisticated than the modern approach to packet filtering largely due to the technology limitations at the time. Firewalls had very little processing power, and it was not enough to handle large volumes of packets. In other words, conventional packet filtering was similar to reading the title of a book, without awareness or evaluation of the content inside the cover.
With the advent of new technologies, deep packet inspection became feasible. As it became more thorough and complete, it became more comparable to picking up a book, cracking it open, and reading it from cover to cover.
USE CASES FOR DPI
There are several uses for deep packet inspection. It can act as both an intrusion detection system or a combination of intrusion prevention and intrusion detection. It can identify specific attacks that your firewall, intrusion prevention, and intrusion detection systems cannot adequately detect.
If your organization has users who are using their laptops for work, then deep packet inspection is vital in preventing worms, spyware, and viruses from getting into your corporate network. Furthermore, using deep packet inspection is based on rules and policies defined by you, allowing your network to detect if there are prohibited uses of approved applications.
Deep packet inspection is also used by network managers to help ease the flow of network traffic. For instance, if you have a high priority message, you can use deep packet inspection to enable high-priority information to pass through immediately, ahead of other lower priority messages. You can also prioritize packets that are mission-critical, ahead of ordinary browsing packets. If you have problems with peer-to-peer downloads, you can use deep packet inspection to throttle or slow down the rate of data transfer. DPI can also be used to enhance the capabilities of ISPs to prevent the exploitation of IoT devices in DDOS attacks by blocking malicious requests from devices.
Mobile service operators and other similar service providers also use deep packet inspection to tailor-fit their offerings to individual subscribers allowing them to differentiate data usage as “all you can eat,” wall garden, or value added. Record labels and other copyright holders can also request ISPs to block their content from being downloaded illegally – a process achieved through deep packet inspection.
Other times, deep packet inspection is used to serve targeted advertising to users, lawful interception, and policy enforcement. Deep packet inspection can also prevent some types of buffer overflow attacks.
Lastly, deep packet inspection can help you prevent anybody from leaking information, such as when e-mailing a confidential file. Instead of being able to successfully send out a file, the user will instead receive information on how to get the necessary permission and clearance to send it.
As with other technologies, deep packet inspection can also be used for less than admirable purposes, such as eavesdropping and censorship. In fact, the Chinese government has been known to use deep packet inspection to monitor the country’s network traffic and censor some content and sites that are harmful to their interests. This is how China has been able to block out pornography, religious information, materials concerning political dissent, and even popular websites such as Wikipedia, Google, and Facebook.
While DPI has many potential use cases, it can easily detect the recipient or sender of the content that it monitors, so there are some concerns around privacy. This is primarily a concern when DPI is used in the context of marketing and advertising, through monitoring the behavior of users and selling browsing and other data to marketing or advertising companies.
DEEP PACKET INSPECTION TECHNIQUES
Two primary types of products utilize deep packet inspection: firewalls that have implemented features of IDS, such as content inspection, and IDS systems that aim to protect the network rather than focus only on detecting attacks. Some of the main techniques used for deep packet inspection include:
● Pattern or signature matching – One approach to using firewalls that have adopted IDS features, pattern or signature matching, analyzes each packet against a database of known network attacks. The downside to this approach is that it’s effective only for known attacks, and not for attacks that have yet to be discovered.
● Protocol anomaly – Another approach to using firewalls with IDS features, protocol anomaly uses a “default deny” approach, which is a key security principle. Using this technique, protocol definitions are used to determine which content should be allowed. This differs from the approach of simply allowing all content that doesn’t match the signatures database, as occurs in the case of pattern or signature matching. The primary benefit of protocol anomaly is that it offers protection against unknown attacks.
● IPS solutions – Some IPS solutions implement DPI technologies. These solutions have similar functionality to in-line IDS, although they have the ability to block detected attacks in real-time. One of the biggest challenges in using this technique is the risk of false positives, which can be mitigated to some extent through the creation of conservative policies.
Some limitations exist with these and other DPI techniques, although vendors offer solutions aiming to eliminate the practical and architectural challenges through various means. Additionally, DPI solutions are now offering a range of other complimentary technologies such as VPNs, malware analysis, anti-spam filtering, URL filtering, and other technologies, providing more comprehensive network protection.
CHALLENGES OF DPI
No technology is perfect, and deep packet inspection is no exception. It has three distinct weaknesses:
1. Deep packet inspection is very effective in preventing attacks such as denial of service attacks, buffer overflow attacks, and even some forms of malware. But it can also be used to create similar attacks.
2. Deep packet inspection can make your current firewall and other security software you use more complicated and harder to manage. You need to be sure that you constantly update and revise deep packet inspection policies to ensure continued effectiveness.
3. Deep packet inspection can slow down your network by dedicating resources for your firewall to be able to handle the processing load.
Aside from privacy concerns and the inherent limitations of deep packet inspection, some concerns have arisen due to the use of HTTPS certificates and even VPNs with privacy tunneling. Some firewalls are now offering HTTPS inspections, which would decrypt the HTTPS-protected traffic and determine whether the content is permitted to pass through. However, deep packet inspection continues to be a valuable practice for purposes ranging from performance management to network analytics, forensics, and enterprise security.
GOVERNMENTAL USE OF DPI
In addition to using DPI for the security of their own networks, governments in North America, Europe, and Asia use DPI for various purposes such as surveillance and censorship.
Many of these programs are classified.
FCC adopts Internet CALEA requirements: The FCC, pursuant to its mandate from the U.S. Congress, and in line with the policies of most countries worldwide, has required that all telecommunication providers, including Internet services, be capable of supporting the execution of a court order to provide real-time communication forensics of specified users. In 2006, the FCC adopted new Title 47, Subpart Z, rules requiring Internet Access Providers to meet these requirements. DPI was one of the platforms essential to meeting this requirement and has been deployed for this purpose throughout the U.S.
The Chinese government uses Deep Packet Inspection to monitor and censor network traffic and content that it claims is harmful to Chinese citizens or state interests. This material includes pornography, information on religion, and political dissent.
Chinese network ISPs use DPI to see if there is any sensitive keyword going through their network. If so, the connection will be cut. People within China often find themselves blocked while accessing Web sites containing content related to Taiwanese and Tibetan independence, Falun Gong, the Dalai Lama, the Tiananmen Square protests and massacre of 1989, political parties that oppose that of the ruling Communist party, or a variety of anti-Communist movements as those materials were signed as DPI sensitive keywords already. China previously blocked all VoIP traffic in and out of their country but many available VOIP applications now function in China. Voice traffic in Skype is unaffected, although text messages are subject to filtering, and messages containing sensitive material, such as curse-words, are simply not delivered, with no notification provided to either participant in the conversation. China also blocks visual media sites such as YouTube.com and various photography and blogging sites.
The Iranian government purchased a system, reportedly for deep packet inspection, in 2008 from Nokia Siemens Networks (NSN) (a joint venture Siemens AG, the German conglomerate, and Nokia Corp., the Finnish cell telephone company), now NSN is Nokia Solutions and Networks, according to a report in the Wall Street Journal in June, 2009, quoting NSN spokesperson Ben Roome. According to unnamed experts cited in the article, the system enables authorities to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes.
DPI is not yet mandated in Russia. Federal Law №139 enforces blocking websites on the Russian Internet blacklist using IP filtering, but does not force ISPs into analyzing the data part of packets. Yet some ISPs still use different DPI solutions to implement blacklisting. For 2019, the governmental agency Roskomnadzor is planning a nationwide rollout of DPI after a pilot project in one of the country’s regions, at an estimated cost of 20 billion roubles (US$300M).
The city state reportedly employs deep packet inspection of Internet traffic.
The state reportedly employs deep packet inspection of Internet traffic, to analyze and block unallowed transit.
The incumbent Malaysian Government, headed by Barisan Nasional, was said to be using DPI against a political opponent during the run-up to the 13th general elections held on 5 May 2013.
The purpose of DPI, in this instance, was to block and/or hinder access to selected websites, e.g. Facebook accounts, blogs and news portals.
Since 2015, Egypt reportedly started to join the list which was constantly being denied by the Egyptian National Telecom Regulatory Authority (NTRA) officials. However, it came to news when the country decided to block the encrypted messaging app Signal as announced by the application’s developer.
In April 2017, all VOIP applications including FaceTime, Facebook Messenger, Viber, Whatsapp calls and Skype have been all blocked in the country.