Deep packet inspection
Deep Packet Inspection (DPI) (also called complete packet inspection and Information eXtraction - IX -) is a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination, or, for the purpose of collecting statistical information. There are multiple headers for IP packets; network equipment only needs to use the first of these (the IP header) for normal operation, but use of the second header (TCP, UDP etc.) is normally considered to be shallow packet inspection (usually called Stateful Packet Inspection) despite this definition.
Deep Packet Inspection (and filtering) enables advanced network management, user service, and security functions as well as internet data mining, eavesdropping, and internet censorship. Although DPI technology has been used for Internet management for many years, some advocates of net neutrality fear that the technology may be used anticompetitively or to reduce the openness of the Internet.
- 1 Background
- 2 DPI at the enterprise level
- 3 DPI at network/Internet service providers
- 4 Deep Packet Inspection by governments
- 5 DPI and net neutrality
- 6 Infrastructure Security
- 7 Software
- 8 Hardware
- 9 See also
- 10 References
- 11 External links
DPI combines the functionality of an intrusion detection system (IDS) and an Intrusion prevention system (IPS) with a traditional stateful firewall. This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own. Stateful firewalls, while able to see the beginning and end of a packet flow, cannot catch events on their own that would be out of bounds for a particular application. While IDSs are able to detect intrusions, they have very little capability in blocking such an attack. DPIs are used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, denial-of-service attacks (DoS), sophisticated intrusions, and a small percentage of worms that fit within a single packet.
DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the OSI model. In some cases, DPI can be invoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the payload of the message. DPI functionality is invoked when a device looks or takes other action, based on information beyond Layer 3 of the OSI model. DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information. End points can utilize encryption and obfuscation techniques to evade DPI actions in many cases.
A classified packet may be redirected, marked/tagged (see quality of service), blocked, rate limited, and of course, reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.
DPI at the enterprise level
Initially security at the enterprise level was just a perimeter discipline, with a dominant philosophy of keeping unauthorized users out, and shielding authorized users from the outside world. The most frequently used tool for accomplishing this has been a stateful firewall. It can permit fine-grained control of access from the outside world to pre-defined destinations on the internal network, as well as permitting access back to other hosts only if a request to the outside world has been made previously.
Vulnerabilities exist at network layers, however, that are not visible to a stateful firewall. Also, an increase in the use of laptops in enterprise makes it more difficult to prevent threats such as viruses, worms, and spyware from penetrating the corporate network, as many users will connect the laptop to less-secure networks such as home broadband connections or wireless networks in public locations. Firewalls also do not distinguish between permitted and forbidden uses of legitimately-accessed applications. DPI enables IT administrators and security officials to set policies and enforce them at all layers, including the application and user layer to help combat those threats.
Deep Packet Inspection is able to detect a few kinds of buffer overflow attacks.
DPI may be used by enterprise for Data Leak Prevention (DLP). When an e-mail user tries to send a protected file the user may be given information on how to get the proper clearance to send the file.[clarification needed][examples needed]
DPI at network/Internet service providers
In addition to using DPI to secure their internal networks, Internet service providers also apply this technology on the public networks provided to customers. Common uses of DPI by ISPs are lawful intercept, policy definition and enforcement, targeted advertising, quality of service, offering tiered services, and copyright enforcement.
Service providers are required by almost all governments worldwide to enable lawful intercept capabilities. Decades ago in a legacy telephone environment, this was met by creating a traffic access point (TAP) using an intercepting proxy server that connects to the government's surveillance equipment. This is not possible in contemporary digital networks. The acquisition component of this functionality may be provided in many ways, including DPI, DPI-enabled products that are "LI or CALEA-compliant" can be used - when directed by a court order - to access a user's datastream.
Policy definition and enforcement
Service providers obligated by the service-level agreement with their customers to provide a certain level of service and at the same time, enforce an acceptable use policy, may make use of DPI to implement certain policies that cover copyright infringements, illegal materials, and unfair use of bandwidth. In some countries the ISPs are required to perform filtering, depending on the country's laws. DPI allows service providers to "readily know the packets of information you are receiving online—from e-mail, to websites, to sharing of music, video and software downloads". Policies can be defined that allow or disallow connection to or from an IP address, certain protocols, or even heuristics that identify a certain application or behavior.
Because ISPs route the traffic of all of their customers, they are able to monitor web-browsing habits in a very detailed way allowing them to gain information about their customers' interests, which can be used by companies specializing in targeted advertising. At least 100,000 United States customers are tracked this way, and as many as 10% of U.S. customers have been tracked in this way. Technology providers include NebuAd, Front Porch, and Phorm. U.S. ISPs monitoring their customers include, Knology, and Wide Open West. In addition, the United Kingdom ISP, British Telecom, has admitted testing technology from Phorm without their customers' knowledge or consent.
Quality of service
Applications such as peer-to-peer (P2P) traffic present increasing problems for broadband service providers. Typically, P2P traffic is used by applications that do file sharing. These may be any kind of files (i.e. documents, music, videos, or applications). Due to the frequently large size of media files being transferred, P2P drives increasing traffic loads, requiring additional network capacity. Service providers say a minority of users generate large quantities of P2P traffic and degrade performance for the majority of broadband subscribers using applications such as e-mail or Web browsing which use less bandwidth. Poor network performance increases customer dissatisfaction and leads to a decline in service revenues.
DPI allows the operators to oversell their available bandwidth while ensuring equitable bandwidth distribution to all users by preventing network congestion. Additionally, a higher priority can be allocated to a VoIP or video conferencing call which requires low latency versus web browsing which does not. This is the approach that service providers use to dynamically allocate bandwidth according to traffic that is passing through their networks.
Mobile and broadband service providers use DPI as a means to implement tiered service plans, to differentiate "walled garden" services from "value added", “all-you-can-eat" and "one-size-fits-all” data services. By being able to charge for a "walled garden", per application, per service, or "all-you-can-eat" rather than a "one-size-fits-all" package, the operator can tailor his offering to the individual subscriber and increase their Average Revenue Per User (ARPU). A policy is created per user or user group, and the DPI system in turn enforces that policy, allowing the user access to different services and applications.
ISPs are sometimes requested by copyright owners or required by courts or official policy to help enforce copyrights. In 2006, one of Denmark's largest ISPs, Tele2, was given a court injunction and told it must block its customers from accessing The Pirate Bay, a launching point for BitTorrent. Instead of prosecuting file sharers one at a time, the International Federation of the Phonographic Industry (IFPI) and the big four record labels EMI, Sony BMG, Universal Music, and Warner Music have begun suing ISPs such as Eircom for not doing enough about protecting their copyrights. The IFPI wants ISPs to filter traffic to remove illicitly uploaded and downloaded copyrighted material from their network, despite European directive 2000/31/EC clearly stating that ISPs may not be put under a general obligation to monitor the information they transmit, and directive 2002/58/EC granting European citizens a right to privacy of communications. The Motion Picture Association of America (MPAA) which enforces movie copyrights, on the other hand has taken the position with the Federal Communications Commission (FCC) that network neutrality could hurt anti-piracy technology such as Deep Packet Inspection and other forms of filtering.
DPI allows ISPs to gather statistical information about use patterns by user group. For instance, it might be of interest whether users with a 2-Mbit connection use the network in a dissimilar manner to users with a 5-Mbit connection. Access to trend data also helps network planning.[clarification needed]
Deep Packet Inspection by governments
In addition to using DPI for the security of their own networks, governments in North America, Europe, and Asia use DPI for various purposes such as surveillance and censorship. Many of these programs are classified.
FCC adopts Internet CALEA requirements. The FCC, pursuant to its mandate from the U.S. Congress, and in line with the policies of most countries worldwide, has required that all telecommunication providers, including Internet services, be capable of supporting the execution of a court order to provide real-time communication forensics of specified users. In 2006, the FCC adopted new Title 47, Subpart Z, rules requiring Internet Access Providers meet these requirements. DPI was one of the platforms essential to meeting this requirement and has been deployed for this purpose throughout the U.S.
The National Security Agency (NSA), with cooperation from AT&T Inc., has used Deep Packet Inspection technology to make internet traffic surveillance, sorting, and forwarding more intelligent. The DPI is used to find which packets are carrying e-mail or a Voice over Internet Protocol (VoIP) telephone call. Traffic associated with AT&T’s Common Backbone was "split" between two fibers, dividing the signal so that 50 percent of the signal strength went to each output fiber. One of the output fibers was diverted to a secure room; the other carried communications on to AT&T’s switching equipment. The secure room contained Narus traffic analyzers and logic servers; Narus states that such devices are capable of real-time data collection (recording data for consideration) and capture at 10 gigabits per second. Certain traffic was selected and sent over a dedicated line to a "central location" for analysis. According to Marcus’s affidavit, the diverted traffic "represented all, or substantially all, of AT&T’s peering traffic in the San Francisco Bay area," and thus, "the designers of the ... configuration made no attempt, in terms of location or position of the fiber split, to exclude data sources comprised primarily of domestic data." Narus's Semantic Traffic Analyzer software, which runs on IBM or Dell Linux servers using DPI technology, sorts through IP traffic at 10Gbit/s to pick out specific messages based on a targeted e-mail address, IP address or, in the case of VoIP, telephone number. President George W. Bush and Attorney General Alberto R. Gonzales have asserted that they believe the president has the authority to order secret intercepts of telephone and e-mail exchanges between people inside the United States and their contacts abroad without obtaining a FISA warrant.
The Chinese government uses Deep Packet Inspection to monitor and censor network traffic and content that it claims is harmful to Chinese citizens or state interests. This material includes pornography, information on religion, and political dissent. Chinese network ISPs use DPI to see if there is any sensitive keyword going through their network. If so, the connection will be cut. People within China often find themselves blocked while accessing Web sites containing content related to Taiwanese and Tibetan independence, Falun Gong, the Dalai Lama, the Tiananmen Square protests and massacre of 1989, political parties that oppose that of the ruling Communist party, or a variety of anti-Communist movements as those materials were signed as DPI sensitive keywords already. China also blocks VoIP traffic in and out of their country. Voice traffic in Skype is unaffected, although text messages are subject to DPI, and messages containing sensitive material, such as curse-words, are simply not delivered, with no notification provided to either participant in the conversation. China also blocks visual media sites such as YouTube.com and various photography and blogging sites.
The Iranian government purchased a system, reportedly for deep packet inspection, in 2008 from Nokia Siemens Networks (NSN) (a joint venture Siemens AG, the German conglomerate, and Nokia Corp., the Finnish cell telephone company), now NSN is Nokia Solutions and Networks, according to a report in the Wall Street Journal in June, 2009, quoting NSN spokesperson Ben Roome. According to unnamed experts cited in the article, the system "enables authorities to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes."
The system was purchased by the Telecommunication Infrastructure Co., part of the Iranian government's telecom monopoly. According to the Journal, NSN "provided equipment to Iran last year under the internationally recognized concept of 'lawful intercept,' said Mr. Roome. That relates to intercepting data for the purposes of combating terrorism, child pornography, drug trafficking, and other criminal activities carried out online, a capability that most if not all telecom companies have, he said.... The monitoring center that Nokia Siemens Networks sold to Iran was described in a company brochure as allowing 'the monitoring and interception of all types of voice and data communication on all networks.' The joint venture exited the business that included the monitoring equipment, what it called 'intelligence solution,' at the end of March, by selling it to Perusa Partners Fund 1 LP, a Munich-based investment firm, Mr. Roome said. He said the company determined it was no longer part of its core business..
Questions have been raised about the reporting reliability of the Journal report by David Isenberg, an independent Washington, D.C.-based analyst and Cato Institute Adjunct Scholar, specifically saying that Mr. Roome is denying the quotes attributed to him and that he, Isenberg, also had similar complaints with one of the same Journal reporters in an earlier story. NSN has issued the following denial: NSN "has not provided any deep packet inspection, web censorship or Internet filtering capability to Iran." A concurrent article in The New York Times said the NSN sale had been covered in a "spate of news reports in April , including The Washington Times," and reviewed censorship of the Internet and other media in the country, but did not mention DPI.
According to Walid Al-Saqaf, the developer of the internet censorship circumventor Alkasir, Iran was using deep packet inspection in February 2012, bringing internet speeds in the entire country to a near standstill. This briefly eliminated access to tools such as Tor and Alkasir.
Deep Packet inspection is contrary to Article 23 of the Constitution of the Russian Federation. However Federal Law №139 enforces blocking websites on the Russian Internet blacklist using IP-filtering.
The then-incumbent Malaysian Government, headed by Barisan Nasional, was said to be using DPI against a political opponent during the run-up to the 13th general elections held on the 5th of May, 2013.
DPI and net neutrality
People and organizations concerned about privacy or network neutrality find inspection of the content layers of the Internet protocol to be offensive, saying for example, "the 'Net was built on open access and non-discrimination of packets!" Critics of network neutrality rules, meanwhile, call them "a solution in search of a problem" and say that net neutrality rules would reduce incentives to upgrade networks and launch next-generation network services.
Deep packet inspection is considered by many to both undermine the infrastructure of the internet and is considered illegal under United States constitution. 
Traditionally the mantra which has served ISP's well has been to only operate at layer 4 and below of the ISP model. This is because simply deciding where packets go and routing them is comparably very easy to handle securely. This traditional model still allows ISP's to accomplish required tasks safely such as restricting bandwidth depending on the amount of bandwidth that is used (layer 4 and below) rather than per protocol or aplication type (layer 7). There is a very strong and often ignored argument that ISP action above layer 4 of the OSI model provides what are known in the security community as 'stepping stones' or platforms to conduct man in the middle attacks from. This problem is exacerbated by ISP's often choosing cheaper hardware with poor security track records for the very difficult and arguably impossible to secure task of Deep Packet Inspection.
OpenBSD's packet filter specifically avoids DPI for the very reason that it cannot be done securely with confidence.
This means that DPI dependent security services such as TalkTalk's HomeSafe are actually trading the security of a few (protectable and often already protectable in other more effective ways) at a cost of decreased security for all where users also have a far less possibility of mitigating the risk. The HomeSafe service in particular is opt in for blocking but it's DPI cannot be opted out of, even for business users.
OpenDPI is the open source version for non-obfuscated protocols. PACE, another such engine, includes obfuscated and encrypted protocols, which are the types associated with Skype or encrypted BitTorrent. As OpenDPI is no longer maintained, an OpenDPI-fork named nDPI has been created, actively maintained and extended with new protocols including Skype, Webex, Citrix and many others.
L7-Filter is a classifier for Linux's Netfilter that identifies packets based on application layer data. It can classify packets such as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, and others. It classifies streaming, mailing, P2P, VOIP, protocols, and gaming applications.
Hippie (Hi-Performance Protocol Identification Engine) is an open source project which was developed as Linux kernel module. It was developed by Josh Ballard. It supports both DPI as well as firewall functionality.
SPID (Statistical Protocol IDentification) project is based on statistical analysis of network flows to identify application traffic. The SPID algorithm can detect the application layer protocol (layer 7) by analysing flow (packet sizes, etc.) and payload statistics (byte values, etc.) from pcap files. It is just a proof of concept application and currently supports approximately 15 application/protocols such as eDonkey Obfuscation traffic, Skype UDP and TCP, BitTorrent, IMAP, IRC, MSN, and others.
Tstat (TCP STatistic and Analysis Tool) provides insight into traffic patterns and gives details and statistics for numerous applications and protocols.
There is a greater emphasis being placed on deep packet inspection - this comes in light after the rejection of both the SOPA and PIPA bills. Many current DPI methods are slow and costly, especially for high bandwidth applications. More efficient methods of DPI are being developed. Specialized routers are now able to perform DPI; routers armed with a dictionary of programs will help identify the purposes behind the LAN and internet traffic they are routing. Cisco Systems is now on their second iteration of DPI enabled routers, with their announcement of the CISCO ISR G2 router. 
- Common carrier
- Data Retention Directive
- Deep content inspection
- Foreign Intelligence Surveillance Act
- Golden Shield
- Intrusion prevention system
- Network neutrality
- NSA warrantless surveillance controversy
- Stateful firewall
- Packet analyzer
- Dr. Thomas Porter (2005-01-11). "The Perils of Deep Packet Inspection". Security Focus. Retrieved 2008-03-02.
- Hal Abelson, Ken Ledeen, Chris Lewis (2009). "Just Deliver the Packets, in: "Essays on Deep Packet Inspection", Ottawa". Office of the Privacy Commissioner of Canada. Retrieved 2010-01-08.
- Ralf Bendrath (2009-03-16). "Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection, Paper presented at the International Studies Annual Convention, New York City, 15–18 February 2009". International Studies Association. Retrieved 2010-01-08.
- Ido Dubrawsky (2003-07-29). "Firewall Evolution - Deep Packet Inspection". Security Focus. Retrieved 2008-03-02.
- Elan Amir (2007-10-29). "The Case for Deep Packet Inspection". IT Business Edge. Retrieved 2008-03-02.
- Michael Morisy (2008-10-23). "Data leak prevention starts with trusting your users". SearchNetworking.com. Retrieved 2010-02-01.
- Nate Anderson (2007-07-25). "Deep Packet Inspection meets 'Net neutrality, CALEA". ars technica. Retrieved 2006-02-06.
- Jeff Chester (2006-02-01). "The End of the Internet?". The Nation. Retrieved 2006-02-06.
- Peter Whoriskey (2008-04-04). "Every Click You Make: Internet Providers Quietly Test Expanded Tracking of Web Use to Target Advertising". The Washington Post. Retrieved 2008-04-08.
- "Charter Communications: Enhanced Online Experience". Retrieved 2008-05-14.
- "Deep Packet Inspection: Taming the P2P Traffic Beast". Light Reading. Retrieved 2008-03-03.
- Matt Hamblen (2007-09-17). "Ball State uses Deep Packet Inspection to ensure videoconferencing performance". Computer World. Retrieved 2008-03-03.
- "Allot Deploys DPI Solution at Two Tier 1 Mobile Operators to Deliver Value- Added and Tiered Service Packages". Money Central. 2008-02-05. Retrieved 2008-03-03.
- Jeremy Kirk (2008-02-13). "Danish ISP prepares to fight Pirate Bay injunction". IDG News Service. Retrieved 2008-03-12.
- Matthew Clark (2005-07-05). "Eircom and BT won't oppose music firms". ENN. Retrieved 2008-03-12.[dead link]
- Eric Bangeman (2008-03-11). ""Year of filters" turning into year of lawsuits against ISPs". ars technica. Retrieved 2008-03-12.
- Anne Broach (2007-07-19). "MPAA: Net neutrality could hurt antipiracy tech". CNET News. Retrieved 2008-03-12.
- Carolyn Duffy Marsan (2007-06-27). "OEM provider Bivio targets government market". Network World. Retrieved 2008-03-13.
- J. I. Nelson, Ph.D. (2006-09-26). "How the NSA warrantless wiretap system works". Retrieved 2008-03-03.
- Bellovin, Steven M.; Matt Blaze, Whitfield Diffie, Susan Landau, Peter G. Neumann, and Jennifer Rexford (January/February 2008). "Risking Communications Security: Potential Hazards of the Protect America Act". IEEE Security and Privacy (IEEE Computer Society) 6 (1): 24–33. doi:10.1109/MSP.2008.17. Retrieved 2008-03-03.
- Robert Poe (2006-05-17). "The Ultimate Net Monitoring Tool". Wired. Retrieved 2008-03-03.
- Carol D. Leonnig (2007-01-07). "Report Rebuts Bush on Spying - Domestic Action's Legality Challenged". The Washington Post. Retrieved 2008-03-03.
- Cheryl Gerber (2008-09-18). "Deep Security: DISA Beefs Up Security with Deep Packet Inpection of IP Transmissions". Retrieved 2008-10-30.
- Ben Elgin and Bruce Einhorn (2006-01-12). "The Great Firewall of China". Business Week. Retrieved 2008-03-13.
- "Internet Filtering in China in 2004-2005: A Country Study". Open Net Initiative. Retrieved 2008-03-13.
- "China Blocks YouTube, Restores Flickr and Blogspot". PC World. 2007-10-18. Retrieved 2008-03-03.
- "Iran's Web Spying Aided By Western Technology" by Christopher Rhoads in New York and Loretta Chao in Beijing, The Wall Street Journal, June 22, 2009. Retrieved 6/22/09.
- "Questions about WSJ story on Net Management in Iran" by David S. Isenberg, isen.blog, June 23, 2009. Retrieved 6/22/09.
- "Provision of Lawful Intercept capability in Iran" Company press release. June 22, 2009. Retrieved 6/22/09.
- "Web Pries Lid of Iranian Censorship" by Brian Stelter and Brad Stone, The New York Times, June 22, 2009. Retrieved 6/23/09.
- Feb. 14, 2012 "Breaking and Bending Censorship with Walid Al-Saqaf", an Interview with Arseh Sevom. Last viewed Feb. 23, 2102.
- Constitution of the Russian Federation (english translation)
- Goh Kheng Teong (2013-05-20). "DAP complains to MCMC over blockade on its websites, videos, FB, social media networks". Retrieved 2013-05-21.
- Reuters (2013-05-04). "In Malaysia, online election battles take a nasty turn". Retrieved 2013-05-22.
- Genny Pershing. "Network Neutrality: Historic Neutrality". Cybertelecom. Retrieved 2008-06-26.
- Genny Pershing. "Network Neutrality: Insufficient Harm". Cybertelecom. Retrieved 2008-06-26.
- Deep packet inspection engine goes open source
- L7-Filter home page
- Hippie Project download page on SourceForge
- Hippie reference page
- SPID project on SourceForge
- Tstat project home
- Spy-Gear Business to Be Sold - Amesys to Sell Business That Provided Surveillance Technology Used by Gadhafi, the Wall Street Journal, German edition, friday, march the 9th of 2012.
- Application Visibility and Control. (n.d.). In Cisco Systems. Retrieved from http://www.cisco.com/en/US/prod/routers/application_visibility_control.html.
- Test Methodology - registration required
- Subverting Deep Packet Inspection the Right Way
- What is "Deep Inspection"?
- A collection of essays from industry experts
- What Is Deep Packet Inspection and Why the Controversy
- White Paper "Deep Packet Inspection – Technology, Applications & Net Neutrality"
- Egypt's cyber-crackdown aided by US Company - DPI technology used by Egyptian government in recent internet crackdown
- Deep Packet Inspection puts its stamp on an evolving Internet
- Validate DPI policy using real applications
- Hand-held packet capture device with PCAP storage