What is packet filtering?
To understand how DPI works and why it’s used, we first need to understand how data packets are transferred and filtered. Any information you send or receive online, whether it would be an email or you connecting to a website, is divided into packets. These packets consist of headers and payloads that tell devices where these packets are from and where they are going.
Your router, for example, protects your devices by performing basic packet filtering, also known as Static/Stateless packet filtering. It checks the incoming packets headers against a set of rules (also called Access Control List) like specific source/destination IP addresses/port numbers and dismisses the ones that don’t.
It does a good job, but packet filtering is usually not enough. First of all, hackers have found ways to overcome it. Second, the more rules your router has, the slower it becomes, and some routers simply don’t have enough processing power to protect you from all of the threats lurking out there. That’s why deep packet inspection was created.
What is DPI?
Deep packet inspection (DPI) is a type of network packet filtering, also known as information extraction or complete packet inspection. If static/stateless packet filtering only checks the headers, then DPI checks both the header and what’s inside the packet — its payload. The user can then weed out anything that doesn’t match its ruleset, like non-compliance to a protocol, spam, viruses, or intrusions. The rules are usually set by you, your Internet Service Provider (ISP), or the relevant network or systems administrator.
Deep Packet Inspection tools
There are different techniques and tools DPI may use to find and dismiss packets that don’t match its filtering rules.
- Pattern or signature matching. DPI analyzes packets against a database of known network attacks. Unfortunately, this approach doesn’t protect your network from yet-to-be-discovered attacks — new malware and viruses.
- Protocol anomaly has a “default deny” approach, meaning that it denies all traffic unless it matches its protocol rules. This approach protects you from unknown attacks but can be very restrictive.
- Intrusion Prevention System (IPS) solutions can also use DPI technologies. They have similar functionality and can detect threats in real-time. However, they do pick up on false positives, meaning that for it to work, you’ll need to create fairly conservative policies.
What is DPI used for?
- Network security. DPI can be used as an intrusion detection system (IDS) or a combination of intrusion prevention (IPS) and intrusion detection. It can identify specific attacks such as denial of service and buffer overflow attacks, and other malicious traffic caused by viruses, worms, or ransomware, which other security tools might not be able to pick up on.
DPI works much like an antivirus, but it detects threats at the network layer before they even get to the end-user. For example, in large companies, DPI can help prevent viruses and worms from spreading throughout the corporate network. It can also help detect prohibited uses of your company’s applications.
- Data Loss Prevention. DPI can prevent data egress at companies. For example, when emailing confidential information, DPI would prompt an employee to get the necessary permission and clearance to send it.
- Internet traffic shaping or network management. You can use DPI to filter traffic and ease the network flow. For example, you can set it up so that you get high priority messages first or to slow down or prioritize your P2P downloads.
Unfortunately, ISP do this often as well to throttle user traffic. Copyright holders can also ask ISPs, with the help of DPI, to block their content from being downloaded illegally.
- Eavesdropping and online censorship. The Chinese government uses DPI to monitor and control the country’s network traffic. It helps them to block unwanted websites such as pornography, social media platforms, and religious or political opposition.
- Target advertising. DPI raises some privacy concerns because it can dig deep enough to see the sender, the receiver and the content of the data packet. This information can be collected by ISPs that monitor your traffic and can then be sold to companies specializing in targeted advertising.
DPI isn’t a flawless security tool. It presents many challenges, and you may think twice before trusting it.
- DPI can hinder performance as it requires a lot of processing power. Your router already does a lot – NAT firewall, stateful inspection, etc. – adding DPI makes the whole network even more complex.
- DPI raises privacy concerns. DPI can be used for good and bad. It can help you block malware and hackers, but it can also be abused by ISPs and governments to block certain content and monitor what you do online.
- DPI and encryption. Encryption makes DPI’s work especially difficult because if the traffic is end-to-end encrypted, how can you peak into its packets? Given that much internet traffic is encrypted these days (VPN or HTTPS traffic, certain email or messaging platforms), DPI might soon become obsolete.
Protect your traffic from DPI inspection with NordVPN. Try it now with a 30-day money-back guarantee.