Deep packet inspection – or DPI – is a data processing technique that analyzes packets as they pass through a network. Once analyzed, these packets can be filtered in-real time and rerouted if they don't meet certain user-defined criteria.
DPI allows you to monitor network usage as well as bolster security by picking out viruses and more, but can also be used for far more unpleasant tasks – like enforcing censorship and creating vulnerabilities. But what else can DPI do, and how does it work?
What is Deep Packet Inspection?
Before we answer this question, we need to look at another – what's a packet?
A packet is a small piece of data, one single unit, and any information that you send or receive over the internet is made up of packets – this includes emails, images, and instant messages. Packets are the lifeblood of the internet, and travel through a network towards their destination like cells in the human body.
Packets are made up of data content (pertaining to what they are – like a gif or email, etc), and a header, and it's this header that controls the packet's journey. It determines where they come from, where they're going, and how they should be handled by any routers they encounter.
There are a number of ways to monitor these packets. Static or Stateless packet filtering is one such option – and the router in your house could do this – but it's considered an inelegant technique, seeing as it only reads a packet's header.
Deep packet inspection is the result of constantly evolving technology and operates at the Open Systems Interconnection application layer. With DPI, both the header and payload of an individual packet are examined.
As a data packet passes through a checkpoint on a monitored network, DPI evaluates its contents, and makes decisions in real-time about what to do with the packet. An ISP, network administrator, or savvy individual can determine these actions, and use deep packet inspection as a means to weed out viruses, clamp down on protocol non-compliance, and detect intrusions. It's also possible to dictate whether packets can continue on to their intended destination or be rerouted elsewhere.
However, DPI can harm as well as help – governments can use deep packet inspection to monitor user habits and even enforce censorship. The Chinese government is a prevalent example of the latter, and uses DPI to monitor traffic constantly for keywords and packets containing sensitive information which, if found, can cause the termination of the connection in question.
What is Deep Packet Inspection Used for?
Deep packet inspection allows an individual or organization to manage their network at a granular level, in order to secure it, ensure a smooth service, or, as mentioned above, to eavesdrop. Let's take a look at some of the other daily uses of DPI:
🔥Bolstering Firewalls and IDS
DPI can be used alongside firewalls and intrusion detection systems to deter all sorts of threats that might have otherwise gone unnoticed. The advanced capabilities of deep packet inspection mean that threats are detected before they reach the end-user, and firewalls that once relied on stateless packet inspection can offer a much more robust security service.
🎬Enforcing copyright
From time to time, copyright holders will call upon ISPs to do their best to prevent their content from being downloaded illegally. Typically, those ISPs will rely on DPI. By doing so, ISPs can take a peek at user traffic and monitor packet content, senders, and destinations to sniff out P2P activity.
✉️Preventing breaches
DPI and its filtering criteria can be hugely impactful when it comes to preventing information leaks – whether they're accidental or malicious. If a hacker or staff member tried to send an email containing sensitive or confidential details, DPI would require them to first gain the necessary clearance and permissions before proceeding.
🚦Filtering traffic
By using DPI, networking management can pick and choose which data packets make it to their destinations first. This comes in handy for shaping and maintaining the steady flow of network traffic. High priority messages, that may be vital to an operation, can be tagged and routed to their destinations before more ordinary low priority messages.
⚠️Malware protection
Viruses, worms, malware and more – there are always threats lurking out there in cyberspace, and they can wreak havoc if left unchecked to spread through a company's network. DPI measures can pick out these intrusions before they damage their endpoints or end-users, however, as well as highlight traffic patterns that security teams can use to determine future threats.
🤝P2P management
More often than not, folks engaging in P2P activity are dealing with large files – we're talking movies, games, and applications. It takes a lot of bandwidth to transfer this data, and ISPs can employ DPI to throttle the rate of transfer in order to prevent other users experiencing a sluggish service, especially at peak times.
A note on net neutrality
As you've no doubt gathered, deep packet inspection is an incredibly powerful tool – and plenty of privacy advocates and organizations have asked whether it's entirely too powerful. DPI gives organizations the ability to peer into packets and determine the sender and receiver, and collect a user's browsing habits and interests. This is a lot of information, and it can all be examined without consent!
Supporters of net neutrality point to how oppressive governments already use DPI to censor the web, and discussion is rife over whether DPI is actually harming privacy more than helping it.
Deep Packet Inspections – are there limitations?
For better or worse, there's no process or technique out there that's going to be completely flawless or foolproof. DPI is no exception. It's a double-edged sword; just as you could use deep packet inspection to prevent the spread of malware, DDoS attacks and buffer overflow, you could also use it to create vulnerabilities in a network that can then be targeted during an attack.
What's more, deep packet inspection could make your existing firewalls and security software incredibly difficult to use. The added complexity of DPI means that it requires constant updates and revisions to stay effective, and because your firewall processors will be under more demand, you might find that your network speeds become sluggish as a result.
DPI can also be stopped in its tracks by a VPN. A VPN creates an encrypted tunnel between a user's device and a server, and as such, deep packet inspection can't examine the contents of any packets that pass through the tunnel. It's not impossible, but the simply monumental amount of time and effort it'd take to crack the encryption means most hackers don't consider it worthwhile. Check out our what is a VPN guide to learn more about these services.