You get a bonus - 1 coin for daily activity. Now you have 1 coin

Deep packet inspection DPI - filtering technology of network packets by their contents

Lecture



 

Deep Packet Inspection (abbr. DPI , also complete packet inspection and Information eXtraction or IX ) is a technology for accumulating statistical data, checking and filtering network packets by their content. Unlike firewalls, Deep Packet Inspection analyzes not only packet headers, but also the full content of traffic at the OSI model levels from the second and higher. Deep Packet Inspection is able to detect and block viruses, filter information that does not meet specified criteria.

Deep Packet Inspection can make a decision not only on the contents of the packets, but also on indirect signs inherent in some specific network programs and protocols. For this, statistical analysis can be used (for example, statistical analysis of the frequency of meeting certain characters, the length of a packet, etc.).

There are several ways to purchase packages for deep inspection of packages. Using port mirroring (sometimes called Span Port) is a very common method, as well as an optical splitter.

Deep Packet Inspection (and filtering) allows advanced network management, user service and security features, as well as Internet data mining, eavesdropping and Internet censorship. Although DPI technology has been used to control the Internet for many years, some proponents of net neutrality fear that this technology may be used anticompetitively or reduce the openness of the Internet.  

DPI is used in a wide range of applications, in the so-called “enterprise” level (corporation and large institutions), in telecommunication service providers, and also in governments.  

content

  • 1 Background
  • 2At the enterprise level
  • 3V network / Internet service providers
    • 3.1A real interception
    • 3.2 Definition and application of policies
    • 3,3 Targeted Advertising
    • 3.4 Service Quality
    • 3,5 tiers services
    • 3.6 copyright observance
    • 3.7Statistics
  • 4 Government
    • 4.1United States
    • 4.2China
    • 4.3 Iran
    • 4.4Russia Federation
    • 4.5 Singapore
    • 4.6 Syria
    • 4.7 Malaysia
    • 4.8Egypt
  • 5 Pure Neutrality
  • 6 DPI encryption and tunneling
  • 7security infrastructure
  • 8Software
    • 8.1Comparison
  • 9Equipment

Prerequisites

DPI combines intrusion detection system (IDS) and intrusion prevention system (IPS) functionality with a traditional firewall. [4] This combination can detect some attacks that neither IDS / IPS nor the firewall can catch on its own. Firewalls, while able to see the beginning and end of a packet flow, cannot intercept events on their own, which would be beyond the boundaries for a particular application. While IDS systems can detect intruders, they have very little ability to block such an attack. STIs are used to prevent attacks from viruses and worms at wire speed. More specifically, DPI can be effective against attacks against buffer overflow, denial of service (DoS), complex intrusions, and a small percentage of worms that fit within a single packet.

DPI devices have the ability to look at Layer 2 and beyond Level 3 in the OSI model. In some cases, DPI can be used to view through the Layer 2-7 OSI model. This includes the headers and data structures of the protocol, as well as the message payload. DPI functionality is called when a device takes on a form or other actions based on information beyond the 3rd level of the OSI model. DPI can identify and classify traffic based on the signature database, which includes information extracted from a portion of the packet data, which allows control more subtle than classifications, based only on header information. Endpoints can use encryption methods and obfuscation to avoid DPI actions in many cases.

A classified packet can be redirected, marked / flagged (see quality of service), blocked, speed limited, and, of course, the agent reports on the network. Thus, HTTP errors of various classifications can be identified and transmitted for analysis. Many DPI devices can identify packet flows (and not packet by packet analysis), allowing control actions based on the accumulated flow information.

At the enterprise level

Initially, enterprise-level security was only the perimeter of the discipline, with the dominant philosophy of keeping unauthorized users from and protecting authorized users from the outside world. The most commonly used tool to accomplish this was the firewall. This can allow detailed access control from the outside world with a predetermined direction of the internal network, as well as allowing access back to other hosts only if a request to the outside world was made earlier.  

Vulnerabilities exist at network levels, however, are not visible to the firewall. In addition, increasing the use of enterprise laptops makes it more difficult to prevent threats, such as viruses, worms, and spyware from entering the corporate network, as many users will connect the laptop to less secure networks, such as home broadband or wireless networks. in public places. Firewalls also do not distinguish the allowed and prohibited types of use of legitimate access to applications. DPI allows IT administrators and security personnel to set policies and apply them at all levels, including applications and user levels, to help combat these threats.

Deep Packet Inspection can detect several types of attack buffer overflows.

DPI can be used by an enterprise to prevent data leakage (DLP). When an email user tries to send a protected file, the user can be given information on how to get proper permission to transfer the file.  

On the network / Internet providers

In addition to using DPI to protect its internal networks, Internet service providers also apply this technology to public networks provided to customers. The common uses of DPI by the LNPA are legal intercept, policy definition and law enforcement, targeted advertising, quality of service, offering multi-level services, as well as copyright authorities.

Legal interception

Service providers need almost all governments around the world in order to legitimate opportunities to intercept. Decades ago in a legacy telephony environment, this was met by creating a traffic access point (TAP) using a snooping proxy - a server that connects to government surveillance equipment. This is not possible in modern digital networks. The acquisition component of this feature can be provided in various ways, including DPI, DPI-enabled products that are "LI or CALEA -compliant" can be used - when authorized in court - to access user data flow.  

Policy Definition and Application

Service providers obligated by their customers' service level agreement to provide a certain level of service and at the same time enforce acceptable use policies, can use DPI to implement certain policies that cover copyright infringement, illegal materials, and unfair use of the band bandwidth. In some countries, Internet service providers are required to perform filtering, depending on the laws of the country. DPI allows service providers to “easily know the packets of information you receive online from email, web sites to share music, videos and software downloads.”   Policies can be defined that allow or deny a connection either from an IP address, specific protocols, or even heuristics that identify a specific application or behavior.

Targeted advertising

Because the ISP routes the traffic of all its customers, they can control the web browsing habits in great detail, allowing them to obtain information about the interests of their customers, which can be used by companies that specialize in targeted advertising. At least 100,000 US customers are tracked this way, and as many as 10% of US customers are tracked that way. Technology providers include NebuAd, Front Porch and Phorm. American Internet providers monitoring their customers include, Knology, [10] and the Wide Open West. In addition, the United Kingdom ISP, British Telecom, recognized testing technology from Phorm without the knowledge or consent of its customers.

Quality of service

DPI can be used against network neutrality.

Applications such as peer-to-peer (P2P) traffic present an increase in problems for broadband service providers. Typically, P2P traffic is used by applications that share files. They can be any type of file (i.e. documents, music, video, and applications). Due to the often large size of media files that are transferred, P2P drives increase the traffic load, requiring additional network bandwidth. Service providers say a minority of users generate a large amount of P2P traffic and reduce performance for most broadband subscribers using applications such as email or browsing the web that uses less bandwidth.   Poor network performance increases customer dissatisfaction and leads to lower service revenues.

DPI allows operators to reassess their available bandwidth, while ensuring a uniform allocation of bandwidth for all users, preventing network congestion. In addition, a higher priority can be allocated to VoIP or video conferencing call, which requires a short delay time compared to a web browser that does not. This approach is what service providers use to dynamically allocate bandwidth based on traffic passing through their networks.

Other vendors claim that DPI is ineffective against P2P and that other bandwidth control methods are more efficient.

Multi Level Services

Mobile and broadband service providers use DPI as a means to implement multi-level service plans, differentiate between “wall garden” services from “value added”, “all you can eat” and “one size fits all” data services,   Being able to charge for a “walled garden”, in the application, for the service, or “all you can eat” and not “all one size fits” the package, the operator can adapt it by offering to an individual subscriber and increase the average income from one subscriber ( ARPU ). A policy is created for a user or a group of users, and the DPI system, in turn, enforces this policy by allowing the user access to various services and applications.

Copyright performance

Internet providers sometimes request copyright holders or require courts or official policies to help ensure copyright compliance. In 2006, one of Denmark’s largest Internet service providers, Tele2, was given a court order and was told that it should block access to The Pirate Bay to its customers at the launch point for BitTorrent. [14] Instead of chasing the file distributors one at a time, [15] The International Federation of the Recording Industry (IFPI) and the big four recordings of EMI, Sony BMG, Universal Music and Warner Music began to be sued by the OIMR, as Eircom did not do enough about protection their copyright. [16] IFPI wants Internet providers to filter traffic for deletion illegally downloaded and download copyrighted material from its network, despite the European Directive 2000/31 / EC, it is clear that Internet providers cannot be placed under a general obligation to control information which they transmit, and Directive 2002/58 / EC on granting the right to privacy of communications to European citizens. The Motion Picture Association of America (MPAA), which introduces copyright to cinema, on the other hand, has taken a position with the Federal Communications Commission (FCC) that network neutrality can damage anti-piracy technologies, such as in-depth packet analysis and other forms of filtering.

Statistics

DPI allows providers to collect statistical information on usage patterns by user group. For example, it may be interesting if users with a 2 Mbit connection can use the network in a different way for users with a 5 Mbit connection. Access to this trend also helps network planning.  

Governments

In addition to using DPI to secure their networks, governments in North America, Europe, and Asia use DPI for various purposes, such as monitoring and censoring. Many of these programs are classified.  

USA

The FCC accepts Kahl's Internet requirements: The FCC, in accordance with its mandate to the United States Congress, and in accordance with the policies of most countries, has demanded that all telecommunications providers, including Internet services, are able to support the execution of a court order to ensure that real-time forensic examination of communication of specified users. In 2006, the FCC adopted a new name 47, subsection Z, the rules requiring access by Internet providers meet these requirements. DPI was one of the platforms required to meet this requirement and was deployed for this purpose throughout the United States.

National Security Agency (NSA), in collaboration with AT & T Inc. , used Packet Inspection deep technology to make surveillance of Internet traffic, sorting and forwarding more intelligent. DPI is used to search for which packets are carried by email or voice over IP (VoIP) phone call.   The traffic associated with AT & T's common backbone network was “split” between the two fibers, dividing the signal so that 50 percent of the signal power went to each output fiber. One of the output fibers were sent to a secure room; other communications performed on AT & T's switching equipment. The protected room contained Narus traffic analyzers and logical servers; Narus claims that such devices are capable of collecting real-time data (recording data for review) and capture at 10 gigabits per second. Certain traffic was selected and sent on a dedicated line in the “center” for analysis. According to affdavit witness expert J Scott Marcus, a former senior Internet technology adviser at the Federal Communications Commission, the diverted traffic "presents all, or almost all, looking at AT & T traffic in the San Francisco Bay area," and thus, "the designers ... the configuration did not make any attempts, from the point of view of the location or position of the separation of the fibers, to exclude data sources consisting mainly of internal data. " Narus Semantic Traffic Analyzer software, which runs on IBM or Dell Linux servers using DPI technology, sorts 10 Gbps IP traffic to select specific messages based on targeted email, IP address or, in the case of VoIP, phone number. [21] President George W. Bush and Attorney General Alberto Gonzales argued that they believe that the President has the right to order secret interceptions of telephone and email exchanges between people within the United States and their contacts abroad without receiving a FISA warrant. [22]

The Defense Information Systems Agency has developed a sensor platform that uses Deep Packet Inspection.  

China

The Chinese government uses deep packet analysis to monitor and censor network traffic and content, which it claims is detrimental to Chinese citizens or government interests. This material includes pornography, information about religion, and political dissent. [24] Chinese network providers use DPI to see if there are any sensitive keywords passing through their network. If so, the connection will be. People in China are often blocked by accessing websites containing content related to Taiwanese and Tibetan independence, Falun Gong, the Dalai Lama, in a protest rally in Tiananmen Square and the 1989 massacre, political parties that oppose the ruling Communist Party, or a variety of anti-communist movements   Since these materials have been signed by DPI sensitive keywords already. China has previously blocked all VoIP traffic to and from its country [26] , but many of the available IP telephony applications now work in China. Skype voice traffic is not affected, although text messages may be DPI, and messages containing sensitive material, such as word curses, are simply not delivered, without notice provided by either the participant in the conversation. China also blocks visual media sites such as YouTube.com and various photos and blogs. 

High ranking websites blocked in China using Deep Packet Inspection
Alexa Rank Web site Domain URL category Main language
6 Wikipedia wikipedia.org www.wikipedia.org Censorship-free encyclopedia English
one Google google.com www.google.com World Wide Internet Search Engine English
one Google Encrypted google.com encrypted.google.com Search English
2 facebook facebook.com www.facebook.com Social network English
3 YouTube youtube.com www.youtube.com video English
24693 Openvpn openvpn.net www.openvpn.net Avoid political censorship on the Internet. English
33553 Strong VPN strongvpn.com www.strongvpn.com Avoid political censorship on the Internet. English
78873 Falun Dafa falundafa.org www.falundafa.org spiritual English
1413995 Vpn coupons vpncoupons.com www.vpncoupons.com Avoid political censorship on the Internet. English
2761652 ElephantVPN elephantvpn.com www.elephantvpn.com Avoid political censorship on the Internet. English

Iran

Иранское правительство приобрело систему, как сообщается , для глубокой инспекции пакетов, в 2008 году от компании Nokia Siemens Networks (NSN) (совместное предприятие Siemens AG, немецкий конгломерат, и Nokia Corp., финский сотовый телефон компании), теперь NSN является Nokia Solutions и сети, согласно сообщению в Wall Street Journal в июне 2009 года, цитируя пресс - секретарь NSN Бен Рум. По словам неназванных экспертов , упомянутых в статье, система «позволяет властям не только блокировать связь , но контролировать его , чтобы собрать информацию о людях, а также изменить его в целях дезинформации.»

Система была приобретена инфраструктурой Ко электросвязи, часть иранского правительства телекоммуникационной монополии. По данным журнала , НСН « в прошлом году предоставил оборудование в Иран в соответствии с международно признанной концепции„законного перехвата“ , сказал г - н Roome. Это относится к перехвату данных для целей борьбы с терроризмом, детской порнографии, незаконного оборота наркотиков и другой преступной деятельность , осуществляемые в Интернете, возможность , что большинство , если не все телекоммуникационные компании, сказал он .... центр мониторинга, Nokia Siemens Networks продала Ирану был описан в брошюре компании , как позволяет «мониторинг и перехват всех типов голоса и передачи данных во всех сетях. Совместное предприятие вышло из бизнеса , который включал оборудование для мониторинга, что это называется «разведка решения,» в конце марта, продавая его Perusa [28]Partners Foundation 1 LP, a Munich based investment firm, Mr Roome said. according to him, the company decided that it was no longer part of its core business ..

The NSN system followed Iran’s purchases from Secure Computing Corp. at the beginning of the decade. 

Были подняты вопросы о достоверности отчетности в журнале отчета Дэвид Айзенберг, независимый Вашингтон аналитик -На и Cato Institute адъюнкт Scholar, в частности о том , что г - н Roome отрицает цитаты , приписываемые ему , и что он, Айзенберг, также были подобные жалобы одного из тех же журнальных репортеров в более ранней истории.   NSN издал следующее опровержение: NSN «не предоставило инспекции глубокого пакета, веб - цензуру или фильтрацию интернет возможности Ирана.» Параллельная статья в The New York Times сказал , что продажа NSN была покрыта в «волна новостей в апреле [2009], в том числе The Washington Times » , и рассмотрел цензуру Интернета и других средств массовой информации в стране, но не говоря уже о DPI.  

По словам Валида аль-Saqaf, разработчик интернет - цензуры Circumventor Alkasir , Иран с помощью глубокого анализа пакетов в феврале 2012 года , в результате чего скорость интернета во всей стране практически остановился. Это кратко устранен доступ к инструментам , таким как Tor и Alkasir. [33]

Россия Федерация

Некоторые правозащитники считают глубокой инспекции пакетов вопреки статье 23 Конституции Российской Федерации , хотя судебный процесс , чтобы доказать или опровергнуть , что никогда не произошло.

Singapore

Состояние города сообщается , использует глубокую проверку пакетов интернет - трафика.  

Syria

Государство как сообщается, использует глубокую проверку пакетов интернет-трафика, анализировать и блокировать запрещенный транзит.

Malaysia

Действующий правительство Малайзии во главе с Barisan Насиональ, было сказано использовать DPI против политического противника в ходе подготовки к 13-й всеобщих выборов, состоявшихся 5 мая 2013 года.

Цель DPI, в данном случае, должен был блокировать и / или препятствовать доступу к выбранным веб - сайты, например , Facebook счета, блоги и новостные порталы.  

Egypt

С 2015 года Египет по сообщениям начал присоединиться к списку , который постоянно отказывают в египетскими Национальный Телеком регулирующий орган (NTRA) должностных лиц. Однако он пришел к новостям , когда страна решила заблокировать зашифрованное приложение для обмена сообщениями сигнала , как было объявлено разработчиком приложения. [38]

В апреле 2017 года, все заявки VOIP , включая FaceTime, Facebook Messenger, Viber, WhatsApp звонки и Skype были все заблокированные в стране.  

Net нейтральность

Люди и организации , занимающиеся вопросами о конфиденциальности или сетевой нейтральности находят инспекции слоев содержания протокола Интернет оскорбительными, ] говорят, например, «инет был построен в открытом доступе и недискриминации пакетов!»   Критика правил сетевого нейтралитета, тем временем, называют их «решением в поисках проблемы» и говорит , что чистые правила нейтралитета приведет к снижению стимулов для модернизации сетей и запуска сети нового поколения услуг.  

Глубокий осмотр пакета, по мнению многих , чтобы подорвать инфраструктуры Интернета.  

Шифрование и туннелирование - подрыв DPI

With the increased use of HTTPS and privacy of tunneling using VPN technology, the effectiveness of DPI comes to the question.  


Security Infrastructure

Traditionally, the mantra that served as a good provider was to work only on layer 4 and below of the OSI model. This is because it is easy to decide where the packets go, and their routing is relatively very easy and safe to handle. This traditional model still allows the provider to perform necessary tasks safely, such as limiting bandwidth depending on the amount of bandwidth that is used (layer 4 and below), and not according to protocol or application type (layer 7). There is a very strong and often ignored argument that ISP action over layer 4 of the OSI model provides what is known in security society as “stairs” or platforms of human behavior in the middle of attacks from the side. This problem is exacerbated by often choosing cheaper provider hardware with poor security credentials for very complex and it may not be possible to provide the task of deep packet inspection.

OpenBSD's packet filter “s specifically avoids DPI for the reason that it cannot be done reliably with confidence.

This means that a DPI service depends on security, such as HomeSafe TalkTalk actually sells several security (protected and often already protected in other more efficient ways) at a cost of reduced security for all, where users also have a much lower probability of mitigating the risk. The HomeSafe service, in particular, is select in blocking, but this DPI cannot be chosen from, even for business users.

Software

NIPI (OpenDPI plug   which is EOL by the developers of ntop) is an open source version for non-confusing protocols. Pace, another such engine, includes shaded and encrypted protocols, which are types associated with Skype or encrypted BitTorrent. As OpenDPI is no longer supported, OpenDPI forks the name of NIPI   was created, actively supported and expanded by new protocols, including Skype, Webex, Citrix and many others.

The L7 filter is a classifier for Netfilter Linux that identifies packages based on application level data.   It can classify packages such as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, and others. It classifies streaming, mailing, P2P, VOIP, protocols and gaming applications.

Hippie (Hi-Performance Engine Identification Protocol) is an open source project that was developed as a module for the Linux kernel. It was designed by Josh Ballard. It supports both DPI as well as firewall functionality.

The COI project (Statistical Identification Protocol) is based on a statistical analysis of a network of streams to identify application traffic.   The COI algorithm can detect the application layer protocol (layer 7) by analyzing the flow (packet sizes, etc.) and payload statistics (byte values, etc.) from PCAP files. This is just proof of the concept of application and currently supports about 15 applications / protocols, such as Edonkey traffic obfuscation, Skype UDP and TCP, BitTorrent, IMAP, IRC, MSN, and others.

TSTAT (TCP STATISTIC and Analysis Tool) provides insight into traffic patterns and provides detailed information and statistics for numerous applications and protocols.  

Libprotoident introduces Lightweight Packet Inspection (LPI), which considers only the first four bytes of the payload in each direction. This minimizes privacy concerns, while reducing the disk space required to store the packet traces needed for classification. Libprotoident supports more than 200 different protocols and the classification is based on a combined approach using sample payload, payload size, port numbers and IP negotiation.  

The French company, Amesys, designed and sold the intrusive and massive Internet monitoring system, called Eagle , by Muammar Gaddafi.  

Comparison

A comprehensive comparison of various network traffic classifiers that depend on deep packet analysis (PASA, OpenDPI, 4 different configurations of L7-filter, MET, Libprotoident and Cisco NBAR) is shown in the independent Comparison of the Popular DPI Tools for Traffic Classification

Equipment

There is a greater emphasis on deep packet analysis - this happens in the lungs after giving up on both SOPA and PIPA accounts. Many modern DPI methods are slow and expensive, especially for high bandwidth applications. More efficient DPI methods are currently being developed. Dedicated routers can now perform DPI; Armed with a vocabulary of programs, routers can help identify the underlying objectives of the local network and the Internet traffic they route. Cisco Systems is currently on their second iteration of the DPI enabled routers, with their announcement of the Cisco ISR G2 router.


Comments


To leave a comment
If you have any suggestion, idea, thanks or comment, feel free to write. We really value feedback and are glad to hear your opinion.
To reply

Cryptanalysis, Types of Vulnerability and Information Protection

Terms: Cryptanalysis, Types of Vulnerability and Information Protection