Deep Packet Inspection and How It Blocks VPN Services


In recent times, the face of the online world has changed to become much more social than before. This has resulted in massive waves of sentiments flowing out uncontrollably and affecting sentiments of people all over the world at a rapid rate. Responding to this, Governments across the world have stepped up their online censorship and surveillance mechanisms. As of today, there are at least twenty world governments who censor their Internet traffic. Censorship of media has existed since time immemorial but to make things worse, quite a few of these governments take this effort a step further by deploying DPI (Deep Packet Inspection) which is more invasive.

What is Deep Packet Inspection?

A packet is any chunk of data sent over the Internet from your computer to the server of a website. When you browse over an insecure open network or even connect to your ISP, your ISP can capture and read these packets. To bypass this privacy and security pitfall, you can use VPN services. VPN creates a secure and encrypted tunnel between our computer and a VPN server, making it difficult to capture our Internet traffic. However, using VPNs does not always guarantee privacy. DPI (Deep Packet Inspection) technology can beat VPN encryption and can sniff and identify a lot of information from VPN packets.

How Deep Packet Inspection Works

DPI works in two parts:

  • Reads Internet packet metadata (packet headers) to identify usage patterns like torrent connections, video streams and VPN connections.
  • Reads Internet packet content (packet body) to determine the actual data being transmitted.

DPI is capable of going deep into network packets to look for data and identifiable patterns. This is done by mass examination of incoming and outgoing traffic at your ISP's firewall, where DPI operates as an added security measure. If you want a technical overview of the inner implementations of DPI, here is a discussion from Symantec blog on the usage of DPI techniques in firewalls.

What Are the Uses of Deep Packet Inspection?

Before we go on to mention how Governments around the world use DPI wickedly, it is worth mentioning that DPI has legitimate uses too. DPI is ideally intended for use in network traffic management. But the truth is, we do not live in an ideal world.

The Good

  • DPI is useful in implementations of enterprise firewall, where local laws block some content for data security and compliance. Internet companies in China have to block specific political content to operate in China.
  • DPI can help protect enterprise networks from hacking attacks by identifying network intrusions well in advance. With DPI, it becomes easy to identify and stop DDoS attacks by checking incoming and outgoing packet contents at the firewall.
  • Using DPI, network providers can maintain a certain level of QOS (Quality of Service) over a network for all users and prevent network congestion. For example, there is a particular group of users who like watching YouTube videos at work. They cannot slow down the network for everyone else and hence get YouTube streams capped at 480p. This is implemented using DPI.

The Bad

In the greater scheme of things, there is always a cat and mouse game over the Internet called online privacy. Ultimately, this highly competitive game is played between those who want to carry out surveillance and those who strive for privacy. This is where Governments use DPI against your interests.

Even if you follow all traditional steps to secure your Internet data from ISPs and hackers (including using HTTPS and a VPN service) DPI can still read your Internet traffic, looks for patterns and identify your content based on those patterns. Sometimes, this beats VPN usage entirely, since VPN traffic has a header that identifies the packet as coming from a VPN client machine. In some countries, that alone is a reason to block your Internet traffic completely. Sometimes, you can also be charged as a criminal for using VPN, like in Iran. So, your first priority is to know whether Using VPN is legal in your country.

Which Countries Use Deep Packet Inspection?

This is a list of countries where the Government uses Deep Packet Inspection to analyze Internet traffic for surveillance and censorship of their citizen, and not always in the public interest.

Country

How it uses Deep Packet Inspection

USA

Intelligently sorts internet traffic from AT&T Inc. for surveillance

China

Censors its Internet and VPN usage for broadly classified sensitive content

Iran

Censors a broad category of content and blocks VPN, causes an overall slow Internet in Iran

Russia

Blocks content based on a centrally maintained IP blacklist

Singapore

Blocks access to pornography, information on drugs and pirated content

Syria

Blocks access to politically sensitive content and occasionally block Internet entirely

Malaysia

Blocked access to social networking websites before the 2013 elections

Ethiopia

Blocks TOR network and VPN after a nationwide emergency situation in 2016

Turkey

Blocks social media and YouTube, also blocks Tor network and VPN connections

Kazakhstan

Blocks Tor network and VPN connections following political unrest in 2012

The Great Firewall Of China (GFW) has been trained to detect TLS handshakes to servers that have a high level of encrypted traffic flowing through them. These servers are identified as VPN servers and the GFW makes various attempts to block VPN connections by blocking TLS handshakes to these VPN servers. You cannot use a VPN service without this handshake. This same technique is also used by the GFW to block HTTPS traffic to certain websites.

Many, if not all of these countries have constitutions that protect their citizen against this kind of blanket surveillance. Some of these countries even have laws (like FISA) that explicitly mention the terms under which the Government can monitor their citizen and it requires a court warrant in most cases. Needless to say, many of these countries violate their own laws when performing a Deep Packet Inspection.

So, is Privacy a Lost Battle?

No, the battle for Privacy is not lost as long as we have better technology available to common people. Now you know what Deep Packet Inspection is and whether you are susceptible to being targeted by it. Next, it is time to find solutions against DPI, and there are a few. We will talk about ways to get around Deep Packet Inspection and VPN blocking in a different article.

    Chinmoy Kanjilal

    I take a deep interest in finding out why things work the way they work. I also write about VPN services, anonymity tools, and privacy tools here at Dealarious.com.

    Click Here to Leave a Comment Below

    Leave a Comment: