digging deeper into deep packet inspection (dpi)
TRANSCRIPT
Digging Deeper Into DPINetwork Visibility & Service Management
Jay Klein
May 2007
2 May 19, 2010
Outline
Origins of the Problem
Complexity
DPI for Security vs. DPI for Application Control
DPI - Glance through the basics
3 May 19, 2010
Market Trends and Drivers: Bandwidth
Broadband becoming ubiquitous
High penetration rates (over 50% in Korea, Taiwan, Holland and Canada)
Over 50% of on-line households are BB
Telcos are upgrading infrastructure:
ADSL2+ (20-25Mbps)
VDSL2 (20-30Mbps)
FTTx
Bandwidth per user is ramping up:
BW expected to reach 20M by 2010 (source: IDC,2006)
More Bandwidth
More Applications
4 May 19, 2010
Market Trends and Drivers: Applications
Continue to be highly popular
Average of 40-60% of overall BW
More applications use encryption
BitTorrent, eMule, Ares
Content providers seem to adopt P2P
Warner Bros to sell films via BitTorrent
Scalability
More Bandwidth
More Applications
P2P VoIP Ents. Online Gaming
5 May 19, 2010
Market Trends and Drivers: Applications
Numerous Internet VoIP providers:
Skype, Vonage, GoogleTalk, Yahoo!
Voice, Net2Phone
VoBB subscribers increased rapidly in 2005/6
More SPs offer Voice & Data services bundled together
More Bandwidth
More Applications
P2P VoIP Ents. Online Gaming
6 May 19, 2010
Market Trends and Drivers: Applications
Usage of streaming applications increasing dramatically
YouTube – 100M videos/day
Numerous new Web-TV services launched
BBC, In2TV etc.
Skype to launch Venice Project – a Web TV service
Telcos launching IPTV services: Pay-TV and VOD
More than just a service differentiator
More Bandwidth
More Applications
P2P VoIP Ents. Online Gaming
7 May 19, 2010
Market Trends and Drivers: Applications
Consoles & PC offer “over the network” gaming experience
Stringent Bandwidth & Latency requirements
More Bandwidth
More Applications
P2P VoIP Ents. Online Gaming
8 May 19, 2010
The Complexity
Numerous Applications - Many Protocols
Same Application – Different Implementations
Bittorrent has more than 30 different client implementations
IM or VoIP may deliver the same experience but don’t use similar protocols
Evolving Architectures
Skype evolved from Kazaa maintaining more or less the network topology
Joost (Venice Project) has just done the same
9 May 19, 2010
The Complexity
Mixture of Technologies, Diverse deployment scenarios
Various Clients: PC, Smartphone, Gaming Console
Client’s network surroundings: Firewall/NAT, Proxy
Monitor or Traffic Shape
Symmetric vs. Asymmetric
Frequent Updates
Can vary from twice a year to every month
Easy to enforce upgrade policy with quick reaction time
Typically will affect protocol format
10 May 19, 2010
The Complexity
Use of Encryption (Obfuscation)
Primarily designed for counter measuring operator’s throttling and monitoring efforts (eMule, Bittorrent)
In some cases protect proprietary implementation (Skype)
Cannot generalize - Need to differentiate use
“Good” (legit streaming, SW updates) vs. “Bad” (pirated file sharing) P2P
Need to recognize application subtleties for proper actions
Example: MSN IM – block VoIP & Streaming, allow Chat
11 May 19, 2010
DPI – Application Space vs. Security Space
Comparable in the sense of “Deep”, “Packet” & “Inspection”
Different Core Competence
Similar tools yet different know-how
Some “gray area” in the middle (e.g., basic DDoS)
When DPI aimed at applications
Applications = Services, typically “invited” by Operator, End-user or both
When DPI is aimed at security risks
Risks = Weaknesses in Network & OS behavior
Need to deal with hostile “applications”, “services”
12 May 19, 2010
DPI – Application Space vs. Security Space
DPI for Security - Inspects L3/4 and complements with L7 info if required
DPI for Security often samples the data stream, indicates on a trend & recommends on action
When DPI is aimed at applications, starts at L7 , track & learn the specific service
DPI for Applications must examine each connection and accurately identify & classify for any action beyond monitoring
13 May 19, 201013
Packet Inspection
Analyze encapsulated content in packet’s header and payload
Content may be spread over many packets
Different research and analysis tools are combined
The end result – a library of “signatures”
For each protocol/application a “Unique” Fingerprint set is found
Signatures may change over time
14 May 19, 201014
False Positives
The likelihood that application connections are caught by signatures of other applications
Some traffic is misidentified / misclassified
Signatures are too weak
Reason: Different protocols exhibit similar behavior or data patterns
Strengthen signature by combing several techniques leading to a complex & robust signature
Target 0% FP for controlling purposes
15 May 19, 201015
False Negatives
The likelihood that application connections are not caught by their designated signatures
End result – some portion of the suspected application traffic is not detected
Why? Signatures don’t cover all protocol occurrences
Examples:
IM = Chat, Streaming, Gaming, VoIP…
Environment – Proxy, NAT
16 May 19, 201016
header info reveals communication intent
Shallow (Standard) Packet Inspection
17 May 19, 201017
information regarding connection state
Signature over several packets found
Deep Packet Inspection
18 May 19, 201018
Analysis by Port
Reasoning:
Many applications and protocols use a default port
Example: email
Incoming POP3: 110 (995 if using SSL)
Outgoing SMTP: 25
The Good - It’s easy, The Bad - It’s too easy
Many applications disguise themselves (e.g., Port 80)
Port hopping ⇒ large range, overlapping apps
19 May 19, 201019
Analysis by String Match
Reasoning:
Many applications have pure textual identifiers
Easy to search for
Very easy if in a specific location within a packet
Uniqueness not always guaranteed
20 May 19, 2010
String Match Example
21 May 19, 201021
Analysis by Numerical Properties
Property is not only content:
Packet size
Payload/message length
Position within packet
In some cases sparse and spread over several packets
22 May 19, 201022
35 8A 27 7F
15 82 98 71
A5 80 72 7F
95 88 8A 7F
Connection #1
Connection #2
Connection #3
Connection #4
Example: Sparse Match
Identifying John Doe Protocol
23 May 19, 201023
Skype (Older Versions): Finding a TCP Connection
18 byte message
11 byte message
23 byte message
Either 18, 51 or 53 byte message
Client ServerUDP Messages
N+8
N+8+5
Evolution
24 May 19, 201024
Behavior and Heuristic Analysis
Behavior = the way in which something functions or operates
Heuristic = problem-solving by experimental and especially trial-and-error methods
OK, but what does this mean? Examples:
Statistics: on average payload size is between X to Y
Actions: Login using TCP connection followed by a UDP connection on subsequent port number
Extremely effective analysis when application uses encryption
25 May 19, 201025
Example: HTTP vs. BitTorrent (Handshake)
26 May 19, 2010
DPI in Real Life
Network Visibility – The key for understanding how bandwidth is utilized
Which application?
Which user?
When? Where?
Traffic Management (Application Control)
Block
Shape (limit, QoS, QoE)
Service Management (Subscriber Control)
Associate connection (IP X.Y.Z.W) with a user and its service use policy
27 May 19, 2010
Example - What’s Happening On the Network?
Graph shows that eDonkey is congesting traffic
Drill down to find out who is using this application
Heavy bandwidth user identified precisely!
P2P Virtual Channel congested
Drill down to find out what’s creating excessive traffic
28 May 19, 2010
Thank You