Deep-packet inspection
   HOME

TheInfoList



OR:

Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a
computer network A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is often used to baseline application behavior, analyze network usage, troubleshoot network performance, ensure that data is in the correct format, check for malicious code,
eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Etymology The verb ''eavesdrop'' is a back-formation from the noun ''eaves ...
, and
internet censorship Internet censorship is the legal control or suppression of what can be accessed, published, or viewed on the Internet. Censorship is most often applied to specific internet domains (such as Wikipedia.org) but exceptionally may extend to all Inte ...
, among other purposes. There are multiple headers for IP packets; network equipment only needs to use the first of these (the IP header) for normal operation, but use of the second header (such as TCP or UDP) is normally considered to be shallow packet inspection (usually called
stateful packet inspection In computing, a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature often used in ...
) despite this definition. There are multiple ways to acquire packets for deep packet inspection. Using port mirroring (sometimes called
Span Port Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitor ...
) is a very common way, as well physically inserting a
network tap A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network. The network tap has (at least) three ports: an ''A port ...
which duplicates and sends the data stream to an analyzer tool for inspection. Deep Packet Inspection (and filtering) enables advanced network management, user service, and
security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
functions as well as internet data mining, eavesdropping, and
internet censorship Internet censorship is the legal control or suppression of what can be accessed, published, or viewed on the Internet. Censorship is most often applied to specific internet domains (such as Wikipedia.org) but exceptionally may extend to all Inte ...
. Although DPI has been used for Internet management for many years, some advocates of net neutrality fear that the technique may be used anticompetitively or to reduce the openness of the Internet. DPI is used in a wide range of applications, at the so-called "enterprise" level (corporations and larger institutions), in telecommunications service providers, and in governments.


Background

DPI technology boasts a long and technologically advanced history, starting in the 1990s, before the technology entered what is seen today as common, mainstream deployments. The technology traces its roots back over 30 years, when many of the pioneers contributed their inventions for use among industry participants, such as through common standards and early innovation, such as the following: * RMON * Sniffer * Wireshark Essential DPI functionality includes analysis of packet headers and protocol fields. For example, Wireshark offers essential DPI functionality through its numerous dissectors that display field names and content and, in some cases, offer interpretation of field values. Some security solutions that offer DPI combine the functionality of an intrusion detection system (IDS) and an Intrusion prevention system (IPS) with a traditional stateful firewall. This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own. Stateful firewalls, while able to see the beginning and end of a packet flow, cannot catch events on their own that would be out of bounds for a particular application. While IDSs are able to detect intrusions, they have very little capability in blocking such an attack. DPIs are used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, denial-of-service attacks (DoS), sophisticated intrusions, and a small percentage of worms that fit within a single packet. DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the OSI model. In some cases, DPI can be invoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the payload of the message. DPI functionality is invoked when a device looks or takes other action based on information beyond Layer 3 of the OSI model. DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information. End points can utilize encryption and obfuscation techniques to evade DPI actions in many cases. A classified packet may be redirected, marked/tagged (see quality of service), blocked, rate limited, and of course, reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.


At the enterprise level

Initially
security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
at the enterprise level was just a perimeter discipline, with a dominant philosophy of keeping unauthorized users out, and shielding authorized users from the outside world. The most frequently used tool for accomplishing this has been a stateful firewall. It can permit fine-grained control of access from the outside world to pre-defined destinations on the internal network, as well as permitting access back to other hosts only if a request to the outside world has been made previously. Vulnerabilities exist at network layers, however, that are not visible to a stateful firewall. Also, an increase in the use of laptops in enterprise makes it more difficult to prevent threats such as viruses, worms, and spyware from penetrating the corporate network, as many users will connect the laptop to less-secure networks such as home broadband connections or wireless networks in public locations. Firewalls also do not distinguish between permitted and forbidden uses of legitimately-accessed applications. DPI enables IT administrators and security officials to set policies and enforce them at all layers, including the application and user layer to help combat those threats. Deep Packet Inspection is able to detect a few kinds of buffer overflow attacks. DPI may be used by enterprise for
Data Leak Prevention Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while ''in use'' (endpoint actions), ''in motion'' (network traffic), and ' ...
(DLP). When an e-mail user tries to send a protected file, the user may be given information on how to get the proper clearance to send the file.


At network/Internet service providers

In addition to using DPI to secure their internal networks, Internet service providers also apply it on the public networks provided to customers. Common uses of DPI by ISPs are
lawful intercept Lawful interception (LI) refers to the facilities in telecommunications and telephone networks that allow law enforcement agencies with court orders or other legal authorization to selectively wiretap individual subscribers. Most countries require ...
, policy definition and enforcement, targeted advertising, quality of service, offering tiered services, and copyright enforcement.


Lawful interception

Service providers are required by almost all governments worldwide to enable
lawful intercept Lawful interception (LI) refers to the facilities in telecommunications and telephone networks that allow law enforcement agencies with court orders or other legal authorization to selectively wiretap individual subscribers. Most countries require ...
capabilities. Decades ago in a legacy telephone environment, this was met by creating a
traffic access point The Communications Assistance for Law Enforcement Act (CALEA), also known as the "Digital Telephony Act," is a United States wiretapping law passed in 1994, during the presidency of Bill Clinton (Pub. L. No. 103-414, 108 Stat. 4279, codified at 4 ...
(TAP) using an
intercepting proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a requ ...
that connects to the government's surveillance equipment. The acquisition component of this functionality may be provided in many ways, including DPI, DPI-enabled products that are "LI or CALEA-compliant" can be used – when directed by a court order – to access a user's datastream.


Policy definition and enforcement

Service providers obligated by the service-level agreement with their customers to provide a certain level of service and at the same time, enforce an acceptable use policy, may make use of DPI to implement certain policies that cover copyright infringements, illegal materials, and unfair use of bandwidth. In some countries the ISPs are required to perform filtering, depending on the country's laws. DPI allows service providers to "readily know the packets of information you are receiving online—from e-mail, to websites, to sharing of music, video and software downloads". Policies can be defined that allow or disallow connection to or from an IP address, certain protocols, or even heuristics that identify a certain application or behavior.


Targeted advertising

Because ISPs route the traffic of all of their customers, they are able to monitor web-browsing habits in a very detailed way allowing them to gain information about their customers' interests, which can be used by companies specializing in targeted advertising. At least 100,000 United States customers are tracked this way, and as many as 10% of U.S. customers have been tracked in this way. Technology providers include NebuAd
Front Porch
and Phorm. U.S. ISPs monitoring their customers include
Knology WideOpenWest (doing business as WOW!) is the sixth largest cable operator in the United States with their network passing 3,248,600 homes and businesses. The company offers landline telephone, cable television, and broadband Internet services ...
and Wide Open West. In addition, the United Kingdom ISP
British Telecom BT Group plc (trade name, trading as BT and formerly British Telecom) is a British Multinational corporation, multinational telecommunications holding company headquartered in London, England. It has operations in around 180 countries and is th ...
has admitted testing solutions from Phorm without their customers' knowledge or consent.


Quality of service

DPI can be used against net neutrality. Applications such as peer-to-peer (P2P) traffic present increasing problems for broadband service providers. Typically, P2P traffic is used by applications that do file sharing. These may be any kind of files (i.e. documents, music, videos, or applications). Due to the frequently large size of media files being transferred, P2P drives increasing traffic loads, requiring additional network capacity. Service providers say a minority of users generate large quantities of P2P traffic and degrade performance for the majority of broadband subscribers using applications such as e-mail or Web browsing which use less bandwidth. Poor network performance increases customer dissatisfaction and leads to a decline in service revenues. DPI allows the operators to oversell their available bandwidth while ensuring equitable bandwidth distribution to all users by preventing network congestion. Additionally, a higher priority can be allocated to a VoIP or video conferencing call which requires low latency versus web browsing which does not. This is the approach that service providers use to dynamically allocate bandwidth according to traffic that is passing through their networks.


Tiered services

Mobile and broadband service providers use DPI as a means to implement tiered service plans, to differentiate " walled garden" services from "value added", "all-you-can-eat" and "one-size-fits-all" data services. By being able to charge for a "walled garden", per application, per service, or "all-you-can-eat" rather than a "one-size-fits-all" package, the operator can tailor his offering to the individual subscriber and increase their average revenue per user (ARPU). A policy is created per user or user group, and the DPI system in turn enforces that policy, allowing the user access to different services and applications.


Copyright enforcement

ISPs are sometimes requested by copyright owners or required by courts or official policy to help enforce copyrights. In 2006, one of Denmark's largest ISPs, Tele2, was given a court injunction and told it must block its customers from accessing The Pirate Bay, a launching point for BitTorrent. Instead of prosecuting file sharers one at a time, the
International Federation of the Phonographic Industry The International Federation of the Phonographic Industry (IFPI) is the organisation that represents the interests of the recording industry worldwide. It is a non-profit members' organisation registered in Switzerland and founded in Italy in 19 ...
(IFPI) and the big four record labels EMI,
Sony BMG Sony BMG Music Entertainment was an American record company owned as a 50–50 joint venture between Sony Corporation of America and Bertelsmann. The venture's successor, the revived Sony Music, is wholly owned by Sony, following their buyout o ...
, Universal Music, and Warner Music have sued ISPs such as
Eircom Eircom Limited, trading as Eir ( ; stylised eir), is a large fixed, mobile and broadband telecommunications company in Ireland. The now privatised company, which is currently incorporated in Jersey, traces its origins to the Ireland's former ...
for not doing enough about protecting their copyrights. The IFPI wants ISPs to filter traffic to remove illicitly uploaded and downloaded copyrighted material from their network, despite European directive 2000/31/EC clearly stating that ISPs may not be put under a general obligation to monitor the information they transmit, and directive 2002/58/EC granting European citizens a right to privacy of communications. The Motion Picture Association of America (MPAA) which enforces movie copyrights, has taken the position with the Federal Communications Commission (FCC) that network neutrality could hurt anti-piracy techniques such as deep packet inspection and other forms of filtering.


Statistics

DPI allows ISPs to gather statistical information about use patterns by user group. For instance, it might be of interest whether users with a 2Mbit connection use the network in a dissimilar manner to users with a 5Mbit connection. Access to trend data also helps network planning.


By governments

In addition to using DPI for the security of their own networks, governments in North America, Europe, and Asia use DPI for various purposes such as
surveillance Surveillance is the monitoring of behavior, many activities, or information for the purpose of information gathering, influencing, managing or directing. This can include observation from a distance by means of electronic equipment, such as c ...
and censorship. Many of these programs are classified.


China

The Chinese government uses deep packet inspection to monitor and censor network traffic and content that it claims is harmful to Chinese citizens or state interests. This material includes pornography, information on religion, and political dissent. Chinese network ISPs use DPI to see if there is any sensitive keyword going through their network. If so, the connection will be cut. People within China often find themselves blocked while accessing Web sites containing content related to Taiwanese and Tibetan independence, Falun Gong, the Dalai Lama, the Tiananmen Square protests and massacre of 1989, political parties that oppose that of the ruling Communist party, or a variety of anti-Communist movements as those materials were signed as DPI sensitive keywords already. China previously blocked all VoIP traffic in and out of their country but many available VoIP applications now function in China. Voice traffic in Skype is unaffected, although text messages are subject to filtering, and messages containing sensitive material, such as curse-words, are simply not delivered, with no notification provided to either participant in the conversation. China also blocks visual media sites such as YouTube.com and various photography and blogging sites.


Egypt

Since 2015, Egypt reportedly started to join the list which was constantly being denied by the Egyptian National Telecom Regulatory Authority (NTRA) officials. However, it came to news when the country decided to block the encrypted messaging app Signal as announced by the application's developer. In April 2017, all VoIP applications including FaceTime, Facebook
Messenger ''MESSENGER'' was a NASA robotic space probe that orbited the planet Mercury between 2011 and 2015, studying Mercury's chemical composition, geology, and magnetic field. The name is a backronym for "Mercury Surface, Space Environment, Geoche ...
, Viber, WhatsApp calls and Skype have been all blocked in the country. As of 2022, FaceTime, Facebook
Messenger ''MESSENGER'' was a NASA robotic space probe that orbited the planet Mercury between 2011 and 2015, studying Mercury's chemical composition, geology, and magnetic field. The name is a backronym for "Mercury Surface, Space Environment, Geoche ...
are unblocked.


Indonesia

The Indonesian Government via Telkom Indonesia, supported by Cisco Meraki DPI technology, do country wide surveillance, and map it into SSN/NIK(Nomor Induk Kependudukan) of its citizens that registered to the ISP. They use this for filtering porn, hates speech, and reducing tension in West Papua. In most of the case, these data always released to dark web by sub contractor that works for the gov. Indonesian Gov plan to scale up the surveillance to next level until 2030.


Iran

The Iranian government purchased a system, reportedly for deep packet inspection, in 2008 from Nokia Siemens Networks (NSN) (a joint venture
Siemens Siemens AG ( ) is a German multinational conglomerate corporation and the largest industrial manufacturing company in Europe headquartered in Munich with branch offices abroad. The principal divisions of the corporation are ''Industry'', '' ...
AG, the German conglomerate, and Nokia Corp., the Finnish cell telephone company), now NSN is Nokia Solutions and Networks, according to a report in the ''Wall Street Journal'' in June, 2009, quoting NSN spokesperson Ben Roome. According to unnamed experts cited in the article, the system "enables authorities to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes". The system was purchased by the Telecommunication Infrastructure Co., part of the Iranian government's telecom monopoly. According to the ''Journal'', NSN "provided equipment to Iran last year under the internationally recognized concept of 'lawful intercept,' said Mr. Roome. That relates to intercepting data for the purposes of combating terrorism, child pornography, drug trafficking, and other criminal activities carried out online, a capability that most if not all telecom companies have, he said.... The monitoring center that Nokia Siemens Networks sold to Iran was described in a company brochure as allowing 'the monitoring and interception of all types of voice and data communication on all networks.' The joint venture exited the business that included the monitoring equipment, what it called 'intelligence solution,' at the end of March, by selling it to Perusa Partners Fund 1 LP, a Munich-based investment firm, Mr. Roome said. He said the company determined it was no longer part of its core business. The NSN system followed on purchases by Iran from
Secure Computing Corp. Secure Computing Corporation (SCC) was a public company that developed and sold computer security appliances and hosted services to protect users and data. McAfee acquired the company in 2008. The company also developed filtering systems us ...
earlier in the decade. Questions have been raised about the reporting reliability of the ''Journal'' report by David Isenberg, an independent Washington, D.C.-based analyst and Cato Institute Adjunct Scholar, specifically saying that Mr. Roome is denying the quotes attributed to him and that he, Isenberg, also had similar complaints with one of the same ''Journal'' reporters in an earlier story. NSN has issued the following denial: NSN "has not provided any deep packet inspection, web censorship or Internet filtering capability to Iran". A concurrent article in ''The New York Times'' stated the NSN sale had been covered in a "spate of news reports in April
009 009 may refer to: * OO9, gauge model railways * O09, FAA identifier for Round Valley Airport * 0O9, FAA identifier for Ward Field, see List of airports in California * British secret agent 009, see 00 Agent * BA 009, see British Airways Flight 9 * ...
including '' The Washington Times''," and reviewed censorship of the Internet and other media in the country, but did not mention DPI. According to Walid Al-Saqaf, the developer of the internet censorship circumventor
Alkasir Alkasir () is an internet censorship circumvention free software developed by Yemeni software developer Walid al-Saqaf. Al-Saqaf is the son of Yemeni investigative journalist Abdulaziz Al-Saqqaf who died under what The Guardian called "mysterious c ...
, Iran was using deep packet inspection in February 2012, bringing internet speeds in the entire country to a near standstill. This briefly eliminated access to tools such as
Tor Tor, TOR or ToR may refer to: Places * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor River, Western New Guinea, Indonesia Sc ...
and Alkasir.February 14, 2012 "Breaking and Bending Censorship with Walid Al-Saqaf"
, an Interview wit
Arseh Sevom
Last viewed February 23, 2012.


Malaysia

The incumbent Malaysian government, headed by Barisan Nasional, was said to be using DPI against a political opponent during the run-up to the 13th general elections held on 5 May 2013. The purpose of DPI, in this instance, was to block and/or hinder access to selected websites, e.g. Facebook accounts, blogs and news portals.


Russian Federation

DPI is not yet mandated in Russia. Federal Law No.139 enforces blocking websites on the Russian Internet blacklist using IP filtering, but does not force ISPs into analyzing the data part of packets. Yet some ISPs still use different DPI solutions to implement blacklisting. For 2019, the governmental agency Roskomnadzor is planning a nationwide rollout of DPI after the pilot project in one of the country's regions, at an estimated cost of 20 billion roubles (US$300M). Some human rights activists consider Deep Packet inspection contrary to Article 23 of the Constitution of the Russian Federation, though a legal process to prove or refute that has never taken place.


Singapore

The city state reportedly employs deep packet inspection of Internet traffic.


Syria

The state reportedly employs deep packet inspection of Internet traffic, to analyze and block forbidden transit.


United States

FCC adopts Internet CALEA requirements: The FCC, pursuant to its mandate from the U.S. Congress, and in line with the policies of most countries worldwide, has required that all telecommunication providers, including Internet services, be capable of supporting the execution of a court order to provide real-time communication forensics of specified users. In 2006, the FCC adopted new Title 47, Subpart Z, rules requiring Internet Access Providers to meet these requirements. DPI was one of the platforms essential to meeting this requirement and has been deployed for this purpose throughout the U.S. The National Security Agency (NSA), with cooperation from AT&T Inc., has used Deep Packet Inspection to make internet traffic surveillance, sorting, and forwarding more intelligent. The DPI is used to find which packets are carrying e-mail or a Voice over Internet Protocol (VoIP) telephone call. Traffic associated with AT&T's Common Backbone was "split" between two fibers, dividing the signal so that 50 percent of the signal strength went to each output fiber. One of the output fibers was diverted to a secure room; the other carried communications on to AT&T's switching equipment. The secure room contained Narus traffic analyzers and logic servers; Narus states that such devices are capable of real-time data collection (recording data for consideration) and capture at 10 gigabits per second. Certain traffic was selected and sent over a dedicated line to a "central location" for analysis. According to an affidavit by expert witness J. Scott Marcus, a former senior advisor for Internet Technology at the US Federal Communications Commission, the diverted traffic "represented all, or substantially all, of AT&T’s peering traffic in the San Francisco Bay area", and thus, "the designers of the…configuration made no attempt, in terms of location or position of the fiber split, to exclude data sources primarily of domestic data". Narus's Semantic Traffic Analyzer software, which runs on IBM or
Dell Dell is an American based technology company. It develops, sells, repairs, and supports computers and related products and services. Dell is owned by its parent company, Dell Technologies. Dell sells personal computers (PCs), servers, data ...
Linux servers using DPI, sorts through IP traffic at 10Gbit/s to pick out specific messages based on a targeted e-mail address, IP address or, in the case of VoIP, telephone number. President
George W. Bush George Walker Bush (born July 6, 1946) is an American politician who served as the 43rd president of the United States from 2001 to 2009. A member of the Republican Party, Bush family, and son of the 41st president George H. W. Bush, he ...
and Attorney General Alberto R. Gonzales have asserted that they believe the president has the authority to order secret intercepts of telephone and e-mail exchanges between people inside the United States and their contacts abroad without obtaining a
FISA The Foreign Intelligence Surveillance Act of 1978 ("FISA" , ) is a United States federal law that establishes procedures for the physical and electronic surveillance and the collection of "foreign intelligence information" between "foreign pow ...
warrant. The Defense Information Systems Agency has developed a sensor platform that uses Deep Packet Inspection.


Vietnam

Vietnam launched its network security center and required ISPs to upgrade their hardware systems to use deep packet inspection to block Internet traffic.


India

The Indian ISP Jio, which is also the largest network operator in India has been known to employ sophisticated DPI techniques like SNI-based filtering to enforce censorship.


Net neutrality

People and organizations concerned about
privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
or network neutrality find inspection of the content layers of the Internet protocol to be offensive, saying for example, "the 'Net was built on open access and non-discrimination of packets!" Critics of network neutrality rules, meanwhile, call them "a solution in search of a problem" and say that net neutrality rules would reduce incentives to upgrade networks and launch next-generation network services. Deep packet inspection is considered by many to undermine the infrastructure of the internet.


Encryption and tunneling subverting DPI

With increased use of HTTPS and privacy tunneling using VPNs, the effectiveness of DPI is coming into question. In response, many web application firewalls now offer ''HTTPS inspection'', where they decrypt HTTPS traffic to analyse it. The WAF can either terminate the encryption, so the connection between WAF and client browser uses plain HTTP, or re-encrypt the data using its own HTTPS certificate, which must be distributed to clients beforehand. The techniques used in HTTPS/SSL Inspection (also known as HTTPS/SSL Interception) are the same used by man-in-the-middle (MiTM) attacks It works like this: #Client wants to connect to https://www.targetwebsite.com #Traffic goes through Firewall or Security Product #Firewall works as
transparent Proxy In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a request ...
#Firewall Creates
SSL Certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...
signed by its own "CompanyFirewall CA" #Firewall presents this "CompanyFirewall CA" Signed Certificate to Client (not the targetwebsite.com Certificate) #At the same time the Firewall on its own connects to https://www.targetwebsite.com #targetwebsite.com Presents its Officially Signed Certificate (Signed by a Trusted CA) #Firewall checks Certificate Trust chain on its own #Firewall now works as Man-in-the-middle. #Traffic from Client will be decrypted (with Key Exchange Information from Client), analysed (for harmful traffic, policy violation or viruses), encrypted (with Key Exchange Information from targetwebsite.com) and sent to targetwebsite.com #Traffic from targetwebsite.com will also be decrypted (with Key Exchange Information from targetwebsite.com), analysed (like above), encrypted (with Key Exchange Information from Client) and sent to Client. #The Firewall Product can read all information exchanged between SSL-Client and SSL-Server (targetwebsite.com) This can be done with any TLS-Terminated connection (not only HTTPS) as long as the firewall product can modify the TrustStore of the SSL-Client


Infrastructure security

Traditionally the mantra which has served ISP well has been to only operate at layer 4 and below of the OSI model. This is because simply deciding where packets go and routing them is comparably very easy to handle securely. This traditional model still allows ISPs to accomplish required tasks safely such as restricting bandwidth depending on the amount of bandwidth that is used (layer 4 and below) rather than per protocol or application type (layer 7). There is a very strong and often ignored argument that ISP action above layer 4 of the OSI model provides what are known in the security community as 'stepping stones' or platforms to conduct man in the middle attacks from. This problem is exacerbated by ISP's often choosing cheaper hardware with poor security track records for the very difficult and arguably impossible to secure task of Deep Packet Inspection.
OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...
's packet filter specifically avoids DPI for the very reason that it cannot be done securely with confidence. This means that DPI dependent security services such as TalkTalk's former HomeSafe implementation are actually trading the security of a few (protectable and often already protectable in many more effective ways) at a cost of decreased security for all where users also have a far less possibility of mitigating the risk. The HomeSafe service in particular is opt in for blocking but its DPI cannot be opted out of, even for business users.


Software

nDPI
(a fork from OpenDPI which is
EoL EOL or Eol may refer to: * Encyclopedia of Life, a freely-accessible, online collaborative bio-encyclopedia * End-of-life (product), a term used with respect to terminating the sale or support of goods and services * End-of-line, a special charact ...
by the developers of ntop) is the
open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
version for non-
obfuscated Obfuscation is the obscuring of the intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language. The obfuscation might be either unintentional or intentional (although intent u ...
protocol Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technology ...
s. PACE, another such engine, includes obfuscated and encrypted protocols, which are the types associated with Skype or encrypted BitTorrent. As OpenDPI is no longer maintained, an OpenDPI-fork named nDPI has been created, actively maintained and extended with new protocols including Skype, Webex, Citrix and many others. L7-Filter is a classifier for Linux's Netfilter that identifies packets based on application layer data. It can classify packets such as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP,
Gnucleus GnucDNA was a software library for building peer-to-peer applications. It provides developers with a common layer to create their own Gnutella or Gnutella2 client or network. As a separate component, GnucDNA can be updated independently of the cli ...
, eDonkey2000, and others. It classifies streaming, mailing, P2P, VoIP, protocols, and gaming applications. The software has been retired and replaced by the open source Netify DPI Engine. Hippie (Hi-Performance Protocol Identification Engine) is an open source project which was developed as Linux kernel module. It was developed by Josh Ballard. It supports both DPI as well as firewall functionality. SPID (Statistical Protocol IDentification) project is based on
statistical analysis Statistical inference is the process of using data analysis to infer properties of an underlying distribution of probability.Upton, G., Cook, I. (2008) ''Oxford Dictionary of Statistics'', OUP. . Inferential statistical analysis infers propertie ...
of network flows to identify application traffic. The SPID algorithm can detect the application layer protocol (layer 7) by signatures (a sequence of bytes at a particular offset in the handshake), by analyzing flow information (packet sizes, etc.) and payload statistics (how frequently the byte value occurs in order to measure entropy) from pcap files. It is just a proof of concept application and currently supports approximately 15 application/protocols such as eDonkey
Obfuscation Obfuscation is the obscuring of the intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language. The obfuscation might be either unintentional or intentional (although intent u ...
traffic, Skype UDP and TCP, BitTorrent, IMAP, IRC,
MSN MSN (meaning Microsoft Network) is a web portal and related collection of Internet services and apps for Windows and mobile devices, provided by Microsoft and launched on August 24, 1995, alongside the release of Windows 95. The Microsoft Net ...
, and others. Tstat (TCP STatistic and Analysis Tool) provides insight into traffic patterns and gives details and statistics for numerous applications and protocols. Libprotoident introduces Lightweight Packet Inspection (LPI), which examines only the first four bytes of payload in each direction. That allows to minimize privacy concerns, while decreasing the disk space needed to store the packet traces necessary for the classification. Libprotoident supports over 200 different protocols and the classification is based on a combined approach using payload pattern matching, payload size, port numbers, and IP matching. A
French French (french: français(e), link=no) may refer to: * Something of, from, or related to France ** French language, which originated in France, and its various dialects and accents ** French people, a nation and ethnic group identified with Franc ...
company called
Amesys Bull SAS (also known as Groupe Bull, Bull Information Systems, or simply Bull) is a French computer company headquartered in Les Clayes-sous-Bois, in the western suburbs of Paris. The company has also been known at various times as Bull General El ...
, designed and sold an intrusive and massive internet monitoring system ''Eagle'' to
Muammar Gaddafi Muammar Muhammad Abu Minyar al-Gaddafi, . Due to the lack of standardization of transcribing written and regionally pronounced Arabic, Gaddafi's name has been romanized in various ways. A 1986 column by ''The Straight Dope'' lists 32 spellin ...
.


Comparison

A comprehensive comparison of various network traffic classifiers, which depend on Deep Packet Inspection (PACE, OpenDPI, 4 different configurations of L7-filter, NDPI, Libprotoident, and Cisco NBAR), is shown in the Independent Comparison of Popular DPI Tools for Traffic Classification.


Hardware

There is a greater emphasis being placed on deep packet inspection - this comes in light after the rejection of both the SOPA and
PIPA The pipa, pípá, or p'i-p'a () is a traditional Chinese musical instrument, belonging to the plucked category of instruments. Sometimes called the "Chinese lute", the instrument has a pear-shaped wooden body with a varying number of frets rang ...
bills. Many current DPI methods are slow and costly, especially for high bandwidth applications. More efficient methods of DPI are being developed. Specialized routers are now able to perform DPI; routers armed with a dictionary of programs will help identify the purposes behind the LAN and internet traffic they are routing. Cisco Systems is now on their second iteration of DPI enabled routers, with their announcement of the CISCO ISR G2 router.Application Visibility and Control. (n.d.). In Cisco Systems
/ref>


See also

* Common carrier *
Data Retention Directive The Data Retention Directive (Directive 2006/24/EC), a directive, later declared invalid by the European Court of Justice, was at first passed on 15 March 2006 and regulated data retention, where data has been generated or processed in connect ...
*
Deep content inspection Deep content inspection (DCI) is a form of network filtering that examines an entire file or MIME object as it passes an inspection point, searching for viruses, spam, data loss, key words or other content level criteria. Deep Content Inspection i ...
*
ECHELON ECHELON, originally a secret government code name, is a surveillance program (signals intelligence/SIGINT collection and analysis network) operated by the five signatory states to the UKUSA Security Agreement:Given the 5 dialects that use ...
*
Firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...
*
Foreign Intelligence Surveillance Act The Foreign Intelligence Surveillance Act of 1978 ("FISA" , ) is a United States federal law that establishes procedures for the physical and electronic surveillance and the collection of "foreign intelligence information" between "foreign po ...
*
Golden Shield The Golden Shield Project (), also named National Public Security Work Informational Project, is the Chinese nationwide network-security fundamental constructional project by the e-government of the People's Republic of China. This project in ...
* Intrusion prevention system * Network neutrality * NSA warrantless surveillance controversy * Packet analyzer * Stateful firewall *
Theta Networks Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is of ...
* Wireshark


References


External links


What is "Deep Inspection"?
by
Marcus J. Ranum Marcus J. Ranum (born November 5, 1962, in New York City, New York, United States) is a computer and network security researcher. He is credited with a number of innovations in firewalls, including building the first Internet email server for t ...
. Retrieved 10 December 2018.
A collection of essays from industry expertsWhat Is Deep Packet Inspection and Why the ControversyWhite Paper "Deep Packet Inspection – Technology, Applications & Net Neutrality"Egypt's cyber-crackdown aided by US Company
- DPI used by Egyptian government in recent internet crackdown
Deep Packet Inspection puts its stamp on an evolving InternetDeep Packet Inspection Using Quotient Filter
{{DEFAULTSORT:Deep Packet Inspection Deep packet inspection Computer network security Internet censorship in China Internet censorship Internet privacy Net neutrality Packets (information technology)