What is deep packet inspection?

Deep packet inspection is a type of network packet filtering, also known as information extraction or complete packet inspection. Any information you send or receive online, whether it would be an email or you connecting to a website, is divided into packets. These packets consist of headers and payloads that tell devices where these packets are from and where they are going.

Your router, for example, protects your devices by performing basic packet filtering, also known as stateless packet filtering. It checks the incoming packet headers against a set of rules (also called Access Control List) like specific source/destination IP addresses/port numbers and dismisses the ones that don’t.

If stateless packet filtering only checks the headers, then DPI checks both the packet header and what’s inside the packet — its payload. The user can then weed out anything that doesn’t match the pre-defined ruleset, like non-compliance to a protocol, spam, viruses, or intrusions. The responsibility for defining the rulesets can lie with the end-user, the Internet Service Provider (ISP), or the network administrator, depending on the context and control over the network..

How deep packet inspection functions in your system depends on the type of a DPI tool you’re planning on using. For example, next-generation firewalls, intrusion detection systems, various network monitoring tools, and even routers can offer DPI support.

Here’s how deep packet inspection works step by step:

1. Packet capture. The DPI tool uses a variety of methods such as network taps and port mirroring to capture incoming packets.
2. Packet decoding. Once the packet has been captured, the DPI tool analyzes the packet according to the OSI model, starting with the physical layer at the bottom and going up to the application layer at the top.
3. Protocol analysis. Deep packet inspection tools have a library of known protocols which it uses to identify the protocol used by the packet. This could be anything from HTTP for web traffic, SMTP for email, or FTP for file transfers.
4. Content analysis. The key part that separates DPI from traditional packet filtering is that DPI analyzes the contents of the packet, or the payload. It searches for certain patterns or signatures that match known malicious content or non-compliant data.
5. Action. Based on the analysis, the DPI tool will take a predefined action such as allow the packet to proceed, block it, reroute it, or flag it for further investigation.
6. Logging. Lastly, DPI tools typically log the results of their analysis for later review. This can be helpful for identifying trends, troubleshooting issues, and documenting network activity.

Unless your network is completely isolated and you’re planning on not filtering any packets, you’re likely to face a choice between deep packet inspection and conventional packet filtering. So, what’s the difference? You already know how DPI inspects both the header and the packet contents. Well, packet filtering just checks the packet header for information such as the source and destination IP address, protocol type, and ports.

At the time, it was a good solution because firewalls weren’t capable of analyzing massive amounts of data efficiently. But hackers found ways to go past conventional packet filtering. Also, setting up packet filtering rules may become a challenge. The more rules your router has, the slower it becomes, and some routers simply don’t have enough processing power to protect you from all of the threats lurking out there.

While DPI involves a much deeper packet analysis that also requires more processing power, traffic prioritization capabilities and more effective threat blocking reduces the need for a large number of rules you would need in conventional packet filtering.

Some of the tasks DPI can help with is improve system performance, block malware, and prevent data leaks. Let’s take a closer look at DPI use cases:

Blocking malware

One of the main cases for DPI is to work with threat detection systems to analyze the data packets and prevent threats such as ransomware, viruses, and spyware. DPI can also provide comprehensive visibility into network traffic while further heuristic analysis techniques can help pinpoint unusual traffic patterns and enable security teams to respond to signs of potential security breaches.

Preventing data leaks

DPI doesn’t just check data packets of incoming traffic but can also manage outgoing traffic as well. A company may use DPI to prevent data theft and prevent potential data leaks both through accident and intent.

Enforcing content policy

Deep packet inspection technology can help organizations regulate access to potentially hazardous or unauthorized applications, such as peer-to-peer download platforms.

Network performance optimization

By examining the contents of each packet, DPI can identify the types of data flowing over the network. Network administrators can use this information to prioritize certain types of data over others for better bandwidth management.

Regulatory compliance

Data privacy regulations now have reached the majority of industries across the world. DPI can help identify data that these regulations apply to and ensure compliance by managing it appropriately.

Digital parental controls

While DPI is often used in a business setting, you can use it even at home to implement parental controls. By inspecting the packet content, DPI can filter internet content and block access to inappropriate websites better than traditional URL-based filters.

VoiP and streaming quality assurance

By identifying VoiP or streaming and assigning a higher priority to them, DPI can be used to reduce latency and buffering and improve the quality of your calls and video streaming.

DPI can use various techniques and tools to find and dismiss packets that don’t match its filtering rules.

• Pattern or signature matching. DPI analyzes packets against a database of known network attacks and looks to find patterns of malicious code. Unfortunately, this approach doesn’t protect your network from yet-to-be-discovered attacks that rely on zero-day vulnerabilities, new malware and viruses.
• Protocol anomaly has a “default deny” approach, meaning that it denies all traffic unless it matches its protocol rules. This approach protects you from unknown attacks but can be very restrictive.
• Intrusion prevention system (IPS) solutions can also use DPI technologies. They have similar functionality and can detect threats in real-time. However, they do pick up on false positives, meaning that for it to work, you’ll need to create fairly conservative policies.

DPI provides numerous benefits:

1. Network security. DPI can be used as an intrusion detection system (IDS) or a combination of intrusion prevention (IPS) and intrusion detection. It can identify specific attacks such as denial of service and and other malicious traffic caused by viruses, worms, or ransomware, which other security tools might not be able to pick up on.

DPI works much like an antivirus, but it detects threats at the network layer before they even get to the end-user. For example, in large companies, DPI can help prevent viruses and worms from spreading throughout the corporate network. It can also help detect prohibited uses of your company’s applications.

2. Data loss prevention. DPI can prevent data egress at companies. For example, when emailing confidential information, DPI would prompt an employee to get the necessary permission and clearance to send it.

3. Internet traffic shaping or network management. You can use DPI to filter traffic and ease the network flow. For example, you can set it up so that you get high priority messages first or to slow down or prioritize your P2P downloads.

Unfortunately, ISPs do this often as well to throttle user traffic. Copyright holders can also ask ISPs, with the help of DPI, to block their content from being downloaded illegally.

4. Eavesdropping and online censorship. The Chinese government uses DPI to monitor and control the country’s network traffic. It helps them to block unwanted websites such as pornography, social media platforms, and religious or political opposition.

5. Target advertising. DPI raises some privacy concerns because it can dig deep enough to see the sender, the receiver and the content of the data packet. This information can be collected by ISPs that monitor your traffic and can then be sold to companies specializing in targeted advertising.

DPI isn’t a flawless network management tool. It presents many challenges, and you may need to think twice before trusting it.

• DPI can hinder performance as it requires a lot of processing power. Your router already does a lot – NAT firewall, stateful inspection, etc. – adding DPI makes the whole network even more complex.
• DPI raises privacy concerns. DPI can be used for good and bad. It can help you block malware and hackers, but it can also be abused by ISPs and governments to block certain content and monitor what you do online.
• DPI and encryption. Encryption can make DPI’s work more difficult because if the traffic is end-to-end encrypted, how can you peek into its packets? But things are not as bad as they sound. Given that much internet traffic is encrypted these days (VPN or HTTPS traffic, certain email or messaging platforms), many companies are enabling DPI because of its declining processing power needs.