Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Digging Deeper Into Deep Packet Inspection (DPI)

2,706 views

Published on

Published in: Technology, Business
  • Be the first to comment

Digging Deeper Into Deep Packet Inspection (DPI)

  1. 1. Digging Deeper Into DPI Network Visibility & Service Management Jay Klein May 2007
  2. 2. Outline <ul><li>Origins of the Problem </li></ul><ul><li>Complexity </li></ul><ul><li>DPI for Security vs. DPI for Application Control </li></ul><ul><li>DPI - Glance through the basics </li></ul>
  3. 3. Market Trends and Drivers: Bandwidth <ul><li>Broadband becoming ubiquitous </li></ul><ul><ul><li>High penetration rates (over 50% in Korea, Taiwan, Holland and Canada) </li></ul></ul><ul><ul><li>Over 50% of on-line households are BB </li></ul></ul><ul><li>Telcos are upgrading infrastructure: </li></ul><ul><ul><li>ADSL2+ (20-25Mbps) </li></ul></ul><ul><ul><li>VDSL2 (20-30Mbps) </li></ul></ul><ul><ul><li>FTTx </li></ul></ul><ul><li>Bandwidth per user is ramping up: </li></ul><ul><ul><li>BW expected to reach 20M by 2010 (source: IDC,2006) </li></ul></ul>More Bandwidth More Applications
  4. 4. Market Trends and Drivers: Applications <ul><li>Continue to be highly popular </li></ul><ul><ul><li>Average of 40-60% of overall BW </li></ul></ul><ul><li>More applications use encryption </li></ul><ul><ul><li>BitTorrent, eMule, Ares </li></ul></ul><ul><li>Content providers seem to adopt P2P </li></ul><ul><ul><li>Warner Bros to sell films via BitTorrent </li></ul></ul><ul><ul><li>Scalability </li></ul></ul>More Bandwidth More Applications P2P VoIP Ents. Online Gaming
  5. 5. Market Trends and Drivers: Applications <ul><li>Numerous Internet VoIP providers: </li></ul><ul><ul><li>Skype, Vonage, GoogleTalk, Yahoo!Voice, Net2Phone </li></ul></ul><ul><li>VoBB subscribers increased rapidly in 2005/6 </li></ul><ul><li>More SPs offer Voice & Data services bundled together </li></ul>More Bandwidth More Applications P2P VoIP Ents. Online Gaming
  6. 6. Market Trends and Drivers: Applications <ul><li>Usage of streaming applications increasing dramatically </li></ul><ul><ul><li>YouTube – 100M videos/day </li></ul></ul><ul><li>Numerous new Web-TV services launched </li></ul><ul><ul><li>BBC, In2TV etc. </li></ul></ul><ul><ul><li>Skype to launch Venice Project – a Web TV service </li></ul></ul><ul><ul><li>Telcos launching IPTV services: Pay-TV and VOD </li></ul></ul><ul><li>More than just a service differentiator </li></ul>More Bandwidth More Applications P2P VoIP Ents. Online Gaming
  7. 7. Market Trends and Drivers: Applications <ul><li>Consoles & PC offer “over the network” gaming experience </li></ul><ul><li>Stringent Bandwidth & Latency requirements </li></ul>More Bandwidth More Applications P2P VoIP Ents. Online Gaming
  8. 8. The Complexity <ul><li>Numerous Applications - Many Protocols </li></ul><ul><li>Same Application – Different Implementations </li></ul><ul><ul><li>Bittorrent has more than 30 different client implementations </li></ul></ul><ul><ul><li>IM or VoIP may deliver the same experience but don’t use similar protocols </li></ul></ul><ul><li>Evolving Architectures </li></ul><ul><ul><li>Skype evolved from Kazaa maintaining more or less the network topology </li></ul></ul><ul><ul><li>Joost (Venice Project) has just done the same </li></ul></ul>
  9. 9. The Complexity <ul><li>Mixture of Technologies, Diverse deployment scenarios </li></ul><ul><ul><li>Various Clients: PC, Smartphone, Gaming Console </li></ul></ul><ul><ul><li>Client’s network surroundings: Firewall/NAT, Proxy </li></ul></ul><ul><ul><li>Monitor or Traffic Shape </li></ul></ul><ul><ul><li>Symmetric vs. Asymmetric </li></ul></ul><ul><li>Frequent Updates </li></ul><ul><ul><li>Can vary from twice a year to every month </li></ul></ul><ul><ul><li>Easy to enforce upgrade policy with quick reaction time </li></ul></ul><ul><ul><li>Typically will affect protocol format </li></ul></ul>
  10. 10. The Complexity <ul><li>Use of Encryption (Obfuscation) </li></ul><ul><ul><li>Primarily designed for counter measuring operator’s throttling and monitoring efforts (eMule, Bittorrent) </li></ul></ul><ul><ul><li>In some cases protect proprietary implementation (Skype) </li></ul></ul><ul><li>Cannot generalize - Need to differentiate use </li></ul><ul><ul><li>“ Good” (legit streaming, SW updates) vs. “Bad” (pirated file sharing) P2P </li></ul></ul><ul><li>Need to recognize application subtleties for proper actions </li></ul><ul><ul><li>Example: MSN IM – block VoIP & Streaming, allow Chat </li></ul></ul>
  11. 11. DPI – Application Space vs. Security Space <ul><li>Comparable in the sense of “Deep”, “Packet” & “Inspection” </li></ul><ul><li>Different Core Competence </li></ul><ul><ul><li>Similar tools yet different know-how </li></ul></ul><ul><ul><li>Some “gray area” in the middle (e.g., basic DDoS) </li></ul></ul><ul><li>When DPI aimed at applications </li></ul><ul><ul><li>Applications = Services, typically “invited” by Operator, End-user or both </li></ul></ul><ul><li>When DPI is aimed at security risks </li></ul><ul><ul><li>Risks = Weaknesses in Network & OS behavior </li></ul></ul><ul><ul><li>Need to deal with hostile “applications”, “services” </li></ul></ul>
  12. 12. DPI – Application Space vs. Security Space <ul><li>DPI for Security - Inspects L3/4 and complements with L7 info if required </li></ul><ul><li>DPI for Security often samples the data stream, indicates on a trend & recommends on action </li></ul><ul><li>When DPI is aimed at applications, starts at L7 , track & learn the specific service </li></ul><ul><li>DPI for Applications must examine each connection and accurately identify & classify for any action beyond monitoring </li></ul>
  13. 13. Packet Inspection <ul><li>Analyze encapsulated content in packet’s header and payload </li></ul><ul><ul><li>Content may be spread over many packets </li></ul></ul><ul><li>Different research and analysis tools are combined </li></ul><ul><li>The end result – a library of “signatures” </li></ul><ul><ul><li>For each protocol/application a “Unique” Fingerprint set is found </li></ul></ul><ul><ul><li>Signatures may change over time </li></ul></ul>
  14. 14. False Positives <ul><li>The likelihood that application connections are caught by signatures of other applications </li></ul><ul><ul><li>Some traffic is misidentified / misclassified </li></ul></ul><ul><li>Signatures are too weak </li></ul><ul><li>Reason: Different protocols exhibit similar behavior or data patterns </li></ul><ul><li>Strengthen signature by combing several techniques leading to a complex & robust signature </li></ul><ul><li>Target 0% FP for controlling purposes </li></ul>
  15. 15. False Negatives <ul><li>The likelihood that application connections are not caught by their designated signatures </li></ul><ul><li>End result – some portion of the suspected application traffic is not detected </li></ul><ul><li>Why? Signatures don’t cover all protocol occurrences </li></ul><ul><li>Examples: </li></ul><ul><ul><li>IM = Chat, Streaming, Gaming, VoIP… </li></ul></ul><ul><ul><li>Environment – Proxy, NAT </li></ul></ul>
  16. 16. Shallow (Standard) Packet Inspection header info reveals communication intent
  17. 17. Deep Packet Inspection information regarding connection state Signature over several packets found
  18. 18. Analysis by Port <ul><li>Reasoning: </li></ul><ul><ul><li>Many applications and protocols use a default port </li></ul></ul><ul><li>Example: email </li></ul><ul><ul><li>Incoming POP3: 110 (995 if using SSL) </li></ul></ul><ul><ul><li>Outgoing SMTP: 25 </li></ul></ul><ul><li>The Good - It’s easy, The Bad - It’s too easy </li></ul><ul><ul><li>Many applications disguise themselves (e.g., Port 80) </li></ul></ul><ul><ul><li>Port hopping  large range, overlapping apps </li></ul></ul>
  19. 19. Analysis by String Match <ul><li>Reasoning: </li></ul><ul><ul><li>Many applications have pure textual identifiers </li></ul></ul><ul><li>Easy to search for </li></ul><ul><ul><li>Very easy if in a specific location within a packet </li></ul></ul><ul><li>Uniqueness not always guaranteed </li></ul>
  20. 20. String Match Example
  21. 21. Analysis by Numerical Properties <ul><li>Property is not only content: </li></ul><ul><ul><li>Packet size </li></ul></ul><ul><ul><li>Payload/message length </li></ul></ul><ul><ul><li>Position within packet </li></ul></ul><ul><li>In some cases sparse and spread over several packets </li></ul>
  22. 22. Example: Sparse Match 35 8A 27 7F 15 82 98 71 A5 80 72 7F 95 88 8A 7F Connection #1 Connection #2 Connection #3 Connection #4 Identifying John Doe Protocol
  23. 23. Skype (Older Versions): Finding a TCP Connection 18 byte message 11 byte message 23 byte message Either 18, 51 or 53 byte message Client Server UDP Messages N+8 N+8+5 Evolution
  24. 24. Behavior and Heuristic Analysis <ul><li>Behavior = the way in which something functions or operates </li></ul><ul><li>Heuristic = problem-solving by experimental and especially trial-and-error methods </li></ul><ul><li>OK, but what does this mean? Examples: </li></ul><ul><ul><li>Statistics : on average payload size is between X to Y </li></ul></ul><ul><ul><li>Actions : Login using TCP connection followed by a UDP connection on subsequent port number </li></ul></ul><ul><li>Extremely effective analysis when application uses encryption </li></ul>
  25. 25. Example: HTTP vs. BitTorrent (Handshake)
  26. 26. DPI in Real Life <ul><li>Network Visibility – The key for understanding how bandwidth is utilized </li></ul><ul><ul><li>Which application? </li></ul></ul><ul><ul><li>Which user? </li></ul></ul><ul><ul><li>When? Where? </li></ul></ul><ul><li>Traffic Management (Application Control) </li></ul><ul><ul><li>Block </li></ul></ul><ul><ul><li>Shape (limit, QoS, QoE) </li></ul></ul><ul><li>Service Management (Subscriber Control) </li></ul><ul><ul><li>Associate connection (IP X.Y.Z.W) with a user and its service use policy </li></ul></ul>
  27. 27. Example - What’s Happening On the Network? Graph shows that eDonkey is congesting traffic Drill down to find out who is using this application Heavy bandwidth user identified precisely! P2P Virtual Channel congested Drill down to find out what’s creating excessive traffic
  28. 28. Thank You

×