Deep Packet Inspection
- Summary
-
Discussion
- Why do we need Deep Packet Inspection?
- How does DPI work and what are its techniques?
- What's the architecture of DPI deployment in a network?
- What are the various other applications where DPI is used?
- If DPI analyses content in real time, will it not slow down the network data transmission?
- What are the negative consequences of DPI and how can misuse be prevented?
- What are the common tools used for packet analysis in DPI?
- Milestones
- References
- Further Reading
- Article Stats
- Cite As
Traditionally, control and regulation of Internet traffic has been managed by a firewall in the router device. However, routers can only scan the header of an IP packet which contains source, destination addresses and some next-hop routing information.
Deep Packet Inspection is a technology that allows a service provider to analyse network traffic in real time using the payload (IP packet content), not merely the IP header. Packets are inspected based on rules assigned by an enterprise, government or internet service provider. Only packets which clear the inspection can enter the network. Even encrypted data can be analysed.
DPI can effectively monitor, speed up, slow down, block, filter, make decisions about the traffic. Mobile and broadband service providers widely employ DPI analysers in their networks. However, unless used judiciously, DPI can also result in invasion of data privacy and other internet governance issues.
Discussion
-
Why do we need Deep Packet Inspection? DPI was initially intended to manage and safeguard Local Area Network users (such as universities, corporates) from malicious software or viruses. The idea was to intercept the malicious packets in real time, at a checkpoint before they reached end users. This was usually performed as a firewall feature.
DPI (also called Packet analysis) can be used both in Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). In organizations which have remote users who connect using their laptops for work, DPI is vital in preventing worms, spyware, and viruses from getting into the corporate network.
DPI protects networks from spam, viruses, DDoS (Distributed Denial Of Service) attacks and harmful/illegal content. It also supports regulatory requirements for lawful intercept; and for parental or enterprise content control systems.
DPI allows governments and organizations to define their own rules and policies, so that the network can detect if there are prohibited uses of applications.
Another intended use is for network management such as ensuring a basic quality of service (QoS) for end-users and preventing network congestion due to trivial/spam content.
-
How does DPI work and what are its techniques? Traditional packet analysis tools only scanned packets at the IP and TCP layers, whereas DPI functions at the Application layer of the OSI reference model.
There are two different approaches to packet analysis - (1) Continual, full-scale traffic packet capture that requires high speed processing and large storage arrays, which is expensive. (2) On-demand packet capture only when system compatibility issues occur (missing / damaged packets).
DPI is actually a combination of several techniques:
- Flow Tracking: Determines which packets are part of a flow between the source and destination computers. It's based on a 5-tuple identifier
(SRC-IP, DEST-IP, SRC-PORT, DEST-PORT, PROTOCOL)
. - Pattern Matching: String patterns (several, not just one) coded as regular expressions are matched with incoming packets. For example, regardless of port, L7-filter classifier for Linux's Netfilter can classify packets as HTTP, Jabber, Citrix, Bittorrent, FTP, etc.
- Statistical Analysis: Indicators (mean, variance) on absolute / relative packet sizes, flow rate per application.
For network traffic monitoring, analytics from Gartner estimate that flow analysis should be done 80% of the time, and packet capture with probes should be done 20% of the time.
- Flow Tracking: Determines which packets are part of a flow between the source and destination computers. It's based on a 5-tuple identifier
-
What's the architecture of DPI deployment in a network? DPI engines are usually deployed inline with firewalls in routers, SDN, and packet gateways. Offline packet analysis can also be performed for non-critical analysis.
DPI is a standard option in 4G LTE and 5G packet gateways (P-GWs). For instance, the backbone network of an ISP could be a 40-Gb/s system with four 10-Gb/s DPI modules.
In the dynamic service environment implied by cloud/SDN, DPI could potentially be co-located with network devices (as software running in virtual switches) or in the control layer (in the controller between applications and switches) due to its high CPU resource requirement. Real-time analytics using DPI is fed into big data analytics packages. This helps service providers understand what end users are doing and shape service offerings accordingly.
Network performances are proved by practical tests executed using real traffic in an ISP backbone network. DPI devices are designed to handle thousands of transactions each second. These devices analyse less than 1500 bytes per packet, which is not a very heavy load. But if this happens in real time for every packet, there is network delay overhead.
-
What are the various other applications where DPI is used? - Content Optimization: DPI can act as proxy and modify contents in order to reduce still/video image quality or reformat web pages for mobile devices as per available bandwidth/device constraints so that users can enjoy content with reasonable performance.
- Billing Applications: ISP use DPI to measure traffic volume and calibrate free and paid usages of network subscribers.
- Load Balancing: Redistribution of packet content to alternate servers in a load-balanced network to maintain uniform load across all deployed systems.
- User Behavior Analysis: Web/mobile applications can gauge subscriber behavior, assess what features are popular or which operations take too long, etc.
- Targeted Advertising: ISPs can inject advertisements into websites that match the assumed interests of the users according to their browsing habits.
- Copyright Enforcement: Automatically detect and block unauthorized sharing of music or video files on peer-to-peer platforms.
-
If DPI analyses content in real time, will it not slow down the network data transmission? Many current DPI methods are resource intensive and costly, especially for high bandwidth applications. Since it's done in real time, it doesn't work on normal processors or switches.
DPI has become possible only in the last few years through advances in computer engineering and pattern matching algorithms. Specialized routers are now able to perform DPI. Routers armed with a dictionary of programs help identify the purposes behind the LAN and internet traffic they are routing. Vulnerability from repeat attacks from known viruses is removed. However, new viruses still pose a threat.
Interaction with legacy tools could also be a problem. Some firewalls simply aren't designed to support DPI, prompting worry about sudden performance drops or total failure of protective network systems.
In spite of these overheads, DPI is widely prevalent in network deployments because of the protection it offers from malicious or wasteful bandwidth usage by spams, viruses and malware. By successfully blocking such spurious input requests from untrustworthy clients, the DPI servers are able to save the network from unnecessary congestion and possible DDoS attacks.
-
What are the negative consequences of DPI and how can misuse be prevented? DPI is basically a packet sniffing technology on the network traffic, enabling operators to monitor what is happening in real time. It was meant to be used for benevolent causes such as managing bandwidth, lawful surveillance, copyright enforcement, and network security.
However, DPI may be controversial from a customer privacy and net-neutrality standpoint. ISPs often use DPI servers to inspect Internet traffic to identify what traffic they want to slow down or restrict. At its root, DPI helps operators regain control over a network that primarily carries third-party applications and services by accurately identifying those applications in real time.
Privacy infringement, corporate snooping, governmental suppression of facts and news, and advertisement implantation are some of the negative consequences of DPI. If an ISP sells streaming music, then OTT music applications are its competitors. ISPs can intentionally ignore/cause congestion or degrade performance of the competing service.
One way to bypass DPI is to use traffic obfuscators as standalone software. These can change traffic signatures to look like traffic that isn't normally blocked by DPI.
-
What are the common tools used for packet analysis in DPI? Governments of certain countries use proprietary and sophisticated DPI tools for online information censoring. The Great FireWall of China is one such example. They are implemented using a combination of flow analysers, filtering of certain IP ranges, flow redirection, URL filtering and Man-in-the-Middle techniques.
ntop, Netify Agent and libtins are open source utilities or toolkits in C/C++.
Corporates and Internet Service Providers may choose among the commonly available DPI tools:
- Wireshark: A popular free and open-source packet analyser which can be configured to be used for Intrusion Detection (ID). The
tshark
utility allows you to filter the contents of apcap
file from the command line to study network activity. - Netfilter in Linux: Classifies packets as HTTP, Jabber, Citrix, Bittorrent, FTP, etc., regardless of port.
- Netflow from Cisco: Introduced on their routers to collect IP network traffic information as traffic enters/exits an interface and build Access Control Lists. It consists of a flow collector and analyser.
- SolarWinds Netflow: Network bandwidth monitoring (collection and analysis) tool. Free and paid versions available.
- Scrutinizer from Plixer: Can handle network flow analysis of Cisco and other vendors' network devices.
- Wireshark: A popular free and open-source packet analyser which can be configured to be used for Intrusion Detection (ID). The
Milestones
References
- Accolade. 2020. "In-Line Enabling of DPI." Accessed 2020-04-14.
- Bebop, Cowbear. 2017. "GhostBear: How to Hide Your VPN From DPI." Blog, Tunnel Bear, July 18. Accessed 2020-04-14.
- Brook, Chris. 2018. "What is Deep Packet Inspection? How It Works, Use Cases for DPI, and More." Digital Guardian, December 5. Accessed 2020-04-14.
- Byres, Eric. 2013. "Understanding Deep Packet Inspection for SCADA Security of Offshore Production Facilities." Tofino Security, Belden. Accessed 2020-02-28.
- Cho, Young Hyun and William H. Mangione-Smith. 2008. "Deep network packet filter design for reconfigurable devices." ACM Transactions on Embedded Computing Systems, vol. 7, no. 2, pp. 21:1-21:26, February. Accessed 2020-04-14.
- Cignoli, Christine. 2018. "Avoiding the Pitfalls of Purpose: The Case for Deep Packet Inspection." Blog, AppNeta, January 23. Accessed 2020-04-14.
- Connet. 2014. "Deep Packet Inspection" Connet, Inc. Accessed 2020-04-14.
- Finnie, Graham. 2012. "White Paper - The Role of DPI in an SDN World." December. Qosmos. Accessed 2020-04-14.
- Glass, Charles. 2016. "DPI in an SDN world." SlidePlayer. Accessed 2020-04-14.
- Kim, NamUk and J. Choi. 2014. "A Scalable Carrier-Grade DPI System Architecture Using Synchronization of Flow Information." IEEE Journal on Selected Areas in Communications, vol. 32, no. 10, pp. 1834-1848, October. Accessed 2020-04-14.
- Larue-Langlois, Renaud. 2018. "5 Best Tools For Deep Packet Inspection in 2020." AddictiveTips, November 27. Accessed 2020-04-14.
- Mikov, Ilya. 2013. "DPI BOX: deep packet inspection for ISP traffic management." DPI-BOX, via SlideShare, August 12. Accessed 2020-04-14.
- Minarik, Pavel. 2019. "How to analyze and understand your network." Flowmon Networks. Accessed 2020-04-14.
- Moxa. 2020. "How Deep Packet Inspection Helps Protect Industrial Control Systems." Moxa Inc. Accessed 2020-02-28.
- NetScreen. 2018. "NetScreen Security Products Hardware Dates & Milestones." Juniper Networks, Inc. Accessed 2020-04-14.
- Nolle, Tom. 2009. "Deep packet inspection: Controversial but valuable traffic management tool." TechTarget, July. Accessed 2020-04-14.
- OpenPR. 2018. "Deep Packet Inspection And Processing Market Growth Augmenting Due to Increasing Use Of Mobile Devices With Growing Mobile Broadband Data Demand." April 28. Accessed 2020-04-14.
- Saurabh, Aman. 2017. "A Guide to Deep Packet Inspection." Catchpoint Systems, Inc., July 19. Accessed 2020-04-14.
- Schulze, Hendrik. 2012. "Part 2: Deep Packet Inspection Tutorial." December 19. Accessed 2020-04-14.
- Sinha, Amber. 2016. "Deep Packet Inspection: How it Works and its Impact on Privacy." Center for Internet & Society, December 16. Accessed 2020-02-28.
- Sommer, Ethan and Mathew Strait. 2009. "Application Layer Packet Classifier for Linux." January 7. Accessed 2020-04-14.
- TEC. 2019. "Whitepaper on Deep Packet Inspection." September 20. Accessed 2020-02-28.
- VyprVPN. 2015. "Your ISP is Slowing you Down. Defeat Throttling & Peering with a VPN." Blog, VyprVPN, Golden Frog, GmbH, September 24. Accessed 2020-04-14.
- Wikipedia. 2019. "Deep Content Inspection." Wikipedia, November 25. Accessed 2020-04-14.
- Wikipedia. 2020. "Great Firewall." Wikipedia, April 15. Accessed 2020-04-14.
- Wireshark. 2009. "Deep packet inspection with Wireshark." Packet Storm. Accessed 2020-04-14.
Further Reading
- Brook, Chris. 2018. "What is Deep Packet Inspection? How It Works, Use Cases for DPI, and More." Digital Guardian, December 5. Accessed 2020-04-14.
- Wilson, Marc. 2019. "Deep Packet Inspection – A Look at What It Is, Tutorial & Software/Tools for DPI." PCWDLD.com, March 30. Accessed 2020-04-22.
- Cooper, Stephen. 2018. "Deep Packet Inspection (DPI) Guide Including 7 Best DPI Tools." Comparitech, March 1. Accessed 2020-04-22.
Article Stats
Cite As
See Also
- IP Networking
- OSI Reference Model
- Network Security
- Denial of Service
- Extended Berkeley Packet Filter
- Data Analytics
Article Warnings
- Readability score of this article is below 50 (49.1). Use shorter sentences. Use simpler words.