Discussion on:

Deep Packet Inspection: What you need to know

I had no idea of the capabilities of these devices, and their possible uses in companies (where they could be come de-rigeur) or ISPs (where they could become the new controversial big-brother machines). Very informative!

That is high praise. I've been keeping tabs on this technology ever since the .govs wanted the ability to read everyone's email. At that time I didn't understand how they could filter that much traffic effectively, now I and hopefully everyone else has a better idea of how it happens.

DPI is the defining difference between firewalls and IPSes, for YEARS now! This is not a new thing. IPSes look at the entire packets, firewalls - the headers only.

Holy smokes, DDoS attacks have been thwartable by IPSes (since they are layer 7 devices) for years now! The only problem with stopping DDoS attacks is that the problem has to be STOPPED as close to the SOURCES as possible. It's not IF it can be done, it's where you stop them from. Traditionally ISPs have ignored requests to police such attacks. They are more concerned with moving traffic rather than trying to monitor it, which can cause traffic delays. TARGETS cannot effective stop DDoS attacks.

Traffic shaping has traditionally been accomplished using the header information only. Traffic shaping has been around a very long time, and does not require DPI, in fact, it's better for all around speed (Router/switch CPU and throughput) if shaping is done at the header level.

The only thing NEW about DPI is the speed at which they are ever-increasingly attaining these days. They have yet to be fast enough for ISP speeds however, and maybe this is a new breakthrough.

That is all I am going to comment on, there are many more problems with this article and I don't think it's conducive to point out every mistake, I just think it's a little disappointing.

Your comments are well taken and for the most part I agree with you.

My intent wasn't to report about new technology. It was to make the members aware of what ISPs are now starting to install and how it affects them. As there's another piece to the puzzle that relies on DPI.

Hello Dr. Dij,

I just thought I'd let you know that the article about behavioral targeting is now out.

http://blogs.techrepublic.com.com/networking/?p=612

This is another infringement of our privacy. Big brother is already monitoring all our telephone calls, monitoring our internet habits with a program called Carnivore and watching us on cameras all over the place. I guess they will start opening our US Mail and packages from UPS and Fed-X next. This totally burns me up. If it gets any worse, I'm thinking about just shooting my computer like the man did his lawnmower.

you don't already get mail that has been opened?

DPI can be a good thing or a bad thing. It just depends on how it is used. I'm afraid everyone is very pessimistic that a powerful tool like this will be used correctly though.

Is this what China uses to block reporters content from leaving the country? Or a similar technology? Or do they just block all content? Not sure how that works

As they are scanning all incoming and outgoing traffic for the entire country, they would need something like DPI that scans deep enough and fast enough .

.. they've something "better" replacing it now.

...like opening up my suitcase after arriving at my destination to find a TSA card inside saying that they inspected it. This was bound to happen someday. I guess we'll need to use application level encryption so that the "criminals" can't glean our private information.

This has been happening all along, 9/11/2001 brought the whole thing to the forefront.

Being a Comcast home subscriber (only one other lesser competitor in our area), I already had to encrypt my BitTorrent packets in order for it to continue functioning.

I now provide TLS over my mail servers and can and will provide whole disk encryption in the future.

I will also blab to the press about the government holding me and/or my data hostage after they hold me at gun point to get it. There will not be a second time, I won't elaborate.. only to say that I believe in the US Constitution as it was written and not our Government!

Thank you for your own DPI. Aside from the technical case of reverse engineering, I do look forward to your treatment of both the sieve and defeat parameters.

I always appreciate your comments. It is an interesting subject to be sure. What I find amazing is that there isn't more being said about this.

I understand that "resistance is futile" when considering the .govs and their wanting to read everyone's email. Where I get concerned is when business entities are starting to do this without any oversight. Mission creep is easy to accomplish.

Damn. Can't even (don't think I'd want to if I could) foresee the large scale control potential of this technology.

edit: I thought I had something else to add, but it won't clarify. Must be of ugly consequence.

I guess my concern is focused on how the commercial market intends to handle this. It's significant power and control with very little oversight at this time.

My next article will go into depth about the business model that's starting to make inroads in the UK and US.

Michael's take on DPI. Sweet.

It's an amazing technology that's not very well known. Not sure why. My concern is where the technology appears to be going in the private sector. It can be a good thing if handled correctly.

I just don't know where it becomes intrusive. Is it OK to filter out an attachment that contains a root kit or is that invasion of privacy? It 's tough to get a handle on.

It's kind of a catch-22. We would love to feel safe because an entity out there is keeping spyware/malware and other viruses out of our systems, but then again, we like police officers breaking into crack houses, but don't want them anywhere near the inside of our homes.

It is a difficult topic, I wonder if that's why it hasn't been heavily discussed?

I don't think that there has been much said about DPI because they (the powers that control/use it) want it generally known. This I believe would bring about the scrutiny they probably don't want.

Thanks for the information, by the way. Good set of articles. I was definitely enlightened.

BB

I plan to keep on top of several topics that are quite volatile at this time. It's my goal to make sure that all the members of TR are informed of what's happening in this realm.

Your comments are very much appreciated

.

As you point out; what if I wanted that rootkit to come down the pipe and into my machine? Worse still, what if I wanted that rootkit to go out my connection and into a machine under my care?

BO was originally developed as a backdoor but still finds as much valid use by admins as it does by security professionals and those of lesser ethical standing.

If I finally get my honeyd setup and Rogers starts filtering out the "interesting" traffic I'll be some pissed. It's bad enough now with they hurrasing me over having open ports on the outside of my router.

"We have detected a possible security risk on your connection"

"I know, I put it there and it is not a risk, it's an intentionally open port with a secured deamon behind it. Did your keyboard monkey manage to get in or did they just see the notice in there port scanner?"

(tangent rant I know; I just wish I could find a highspeed ISP that provided connectivity rather than "value add" services like protecting me from other subscriber's mistakes.)

Neon Samurai, you have hit the nail on the head. the "greater good versus privacy" is a very real issue. Solving it will be a challenge.

The false positive issue you mentioned is and has been a problem with AV applications and their signature files as well.

I'm interested, like the others, for the next few writeups you've hinted at. Like any really interesting technology, it has a huge potential for abuse and benefit.

Heck, if the only outcome is driving the more paranoid general public to learn about encrypting traffic; that's still a huge step forward in home user education that causes benefit without being legislated into existance.

Hello Neon Samurai,

I thought I'd let you that the second article is out:

http://blogs.techrepublic.com.com/networking/?p=612

I'd opened that one in another tab but hadn't yet read down through the window stack to see that it was the follow-up. Cheers for the link.

ISPs do not contact customers because they have an open port. Nor do they perform security risk assessments.

An ISP MAY contact you if you are part of a DDoS attack to some other target. That's about it.

Honeyd are nice toys, but that is all they are. Toys. For kids.

ISPs are very valuable in stopping DDoS attacks. I'm glad if they could provide that service.

Concerning the rootkit, if you're advocating the free use thereof, I do not agree. At all. There is no legitimate reason to allow rootkit exploit execution code to roam freely.

ISPs in this area do contact customers depending on what ports are open. In the past, I've been contacted for having port 21 open. They only recognized the open port and fired off a form letter. I didn't have the port open by accident or insecurly; it provided me access to my files only so it wasn't even a bandwidth issue.

Tell me again how "ISPs do not contact customers because they have an open port"

I have also been contacted for traffic volumes dispreportionate to the other subscribers in my area. I download distributions of Linux and other OS, they don't. In that case, I can see how they would think of potential DDoS activity but it's really about there not upgrading infrastructure.

Honeyd is a single program though there are others that provide honeynet functions. I'm curious about why you feel it's nothing more than a childs toy though. Have you experience in security and honeypots? What is the "grown up" aproach if Honeyd is for kids?

ISP can be valuable in stopping hostile network traffic (DDoS and others) but I said nothing for or against that. My point was that I want an ISP that provides me the bandwidth I pay for and does not give me grief when I use my bandwidth how I choose safely and within the limits of the law. That means not bugging me for providing myself with an ftp deamon or any other network service that does not effect other subscribers.

Rootkits are not always build with hostile code. BO was intended as a backdoor and has found just as much use by ligitimate administrators as it has by others. It can be configured with no hostile modules then installed as a remote administration or info security tool.

If ISPs are required to perform deep packet inspection and active AV services, will they block my configured BO on it's ligitimate way to a machine in my care? Perhaps I get really crazy and use a worm as a carrier to patch the very issue it exploits. Will the isp's required DPI block my own remote administration of the patch distribution because of the carrier rather than the payload? VNC is a very popular remote desktop program and also very popular as a backdoor included in rootkits; will the ISP's DPI block use of VNC because one potential use is malicious?

I'm not talking about releasing malicious code into the Internet indiscriminantly. Besides, code is just code and in some cases there can be very creative and ligitimate reasons to use something commonly employed for malicious means; just like so many programs developed for ligitimate uses are also employed for malicious goals.

I wish I could give you a Thumb.

Except for that juvenile honeyd toy.

I do like to know I'm not completely out to lunch on these things.

My wife thinks I am slightly paranoid about privacy. This article shows I am not nearly paranoid enough

I'm going to discuss in in more depth in the next article, but in almost all cases that I know about the ISP normally informs the user about DPI. It may be in very fine print in the EULA or an email sent out by the ISP.

Can this alarmingly uncontrolled technology be applied at higher level too? As most UK ISPs actually operate by renting bandwidth off one of a small handful of backbone providers like BT, could it be put on the backbone & operated without the user's (or maybe even the ISP's) knowledge?

Also, does anyone know if any webmail services (e.g. yahoo, gmail etc) are automatically encrypted so that these systems cannot read them?

My next article will address these very issues. The UK has several good laws that are coming into play about this. The Register is one place to go to read about what is happening in the UK.

As for encrypted web email, as far as I know that can be scanned, but ends up being gibberish to DPI. Please remember that's just the link between you, your ISP, and the web email server. I can not speak for what happens after that.

From what I know, email is wide open.

While you can be encrypted between local node and remote mail server, the traffic from sending mail server to recieving mail server travels in plain text.

I don't think there is a way to easily work towards encrypted server to server mail since all email servers would have to adopt the standard allowing for communication with any completely new and unknown server arbitrarily.

At present, the best method is to encrypt your email fully. Then your just sending a bundle of gibberish until it reaches the recipient who can unencrypt and read it. This does mean having your recipients adopt an encrypted email policy with the same issues as changing server to server transfers but on a smaller scale.

(that's my understanding anyhow)

PKI would allow this to happen. I think that there is just more overhead and cost for something that isn't a selling point at this moment. Also, most POP3 and SMTP servers do not encrypt their connectivity so if you are using Outlook express or some other email client it is likely to be unencrypted even going to the email server. I am uncertain about web mail so I have no comment on that.

Bill

POP3 and SMTP are both unencrypted so they are wide open between client to server along with server to server.

pop3s and smtps are both encrypted and I believe it is end to end so you also incrypte the authentication between two points. This protects client to server but server to server still moves by smtp in plain text.

The server can use SSL or TSL for the client connection. imap also has an encrypted imaps version of the protocol which, I believe, is also tsl.

All it would take is a way to pass only smtps between servers. The more practical solution is having the email clients use encryption by default. This seems to be the current aproach though lacking in transperency for the user.

With webmail, if you connect through https then it's as good as any other website behind SSL. The webmail server is still going to move the email in plain text between servers though.

In the case of Google, I believe there is a plugin for Firefox that claims to encrypt the email. You write your email then the plugin turns it to gibberish. The mail is not actually encrypted, only the contents of it get processed by the plugin.

on OWA with SSL, but then that isn't public.

Gmail only encrypts part of the way; I'm sure this is correct.

If you wanted to run your own server, and supply the service to clients. I would think OWA would suffice. But this is not like having something like gmail on the cloud.

You can bet this is coming, but I would think only Google is big enough to handel it.

But that is also the same as the slap in the face done by credit card companies. Oh, good customer, we are going to raise your rates or raise the fees and there is nothing you can do about it. If you don't like it, close your account, knowing full well that most of their customers carry balances and can't cancel.

The ISP also has an advantage because in most areas there isn't any broadband competition.

Hopefully the FCC making a ruling against Comcast will be a start in the right direction towards the users getting some support.

You did not mention HTTPS packets, will the encrypted packets be read also? How about VPN traffic?