Introduction to DPI: System Usage Scenarios
Yesterday we began to consider the basic elements of the DPI and talked about the composition of the system and wiring diagrams. Today we decided to look at the real options for using DPI and talk about technical scenarios that allow operators to provide high quality services.
/ Flickr / Yuri Samoilov / CC
The task of the DPI system is to classify and generate real-time traffic consumption reports by the application using signature sets and behavioral methods. Obtaining such information on the traffic classes of each subscriber allows you to rate it separately, for example, for Skype, Viber, etc. Also, DPI systems allow you to monitor the network status at OSI model 2–7 and protect it from overload.
The most popular example of the need to prioritize traffic is the p2p protocol. When a user downloads files using this protocol, the quality of work of all the others — VOIP, HTTP, etc. — decreases, which leads to slow opening of pages, poor voice quality during calls, video slowdown. DPI-systems can solve this problem by simply reducing the priority of p2p traffic.
')
The graph shows how with a decrease in uncontrolled traffic torrent, increased the speed of HTTP
Another simple example of the need for prioritization is the increasingly popular online cinemas. As the video quality increases (720p, 1080p, 4K), the load on the operator’s channel increases.
For example, in March 2015 in Australia, Netflix traffic accounted for 25% of the total iiNet provider traffic 4 weeks after launch. In this vein, active traffic control and flexible setting of priorities allow ensuring decent operation of other sensitive services, slightly reducing the video quality at critical moments.
The operator is able to provide high quality in two ways: by increasing the width of the channel or by optimizing traffic. Traffic bursts are predictable, occur on certain days of the week and usually last no more than a few hours.
In connection with this, it may be unprofitable to increase the channel width - a too small “window” of activity. However, if you leave everything as it is, in hours of increased workload, subscribers will experience slow page loading and put up with poor voice communication.
About 50% of evening traffic is torrent, 20% - video, 30% - everything else. If you select the first type of traffic and lower its priority, the other protocols will work the same as at any other time. The need to increase the bandwidth of the channel will disappear by itself.
There is information on the Internet that many users find interesting and download at once. The cache server allows you to distribute it directly between users. This saves Internet traffic and increases the speed of access to information, since the speed of access to the cache is equal to the speed of the local network, and not the speed of access to the Internet.
For example, the cache server for our solution SCAT DPI allows you to cache video content of popular services such as YouTube, RuTube and vk.com, Windows updates, browsers, antiviruses and other software, as well as frequently repeating files (for example jquery libraries, pictures, etc.) P).
Each user goes on the Internet for a certain time, uses one of the browsers, sits on social networks, watches comedies or horrors. The DPI system is able to collect all this information (without violating the personal rights of the subscriber) and show it in a visual form to the operator. Knowing the user's preferred content, the operator gets the opportunity to adjust his traffic priority. Moreover, the most visited resources can also be cached.
This feature allows the operator to send messages to the subscriber while the latter is working on the Internet. When a user enters a website address, he first sees in the browser a message from the operator, which is replaced by the requested page in a few seconds.
This message may contain a variety of information: on tariff changes, on the time of technical work, on special offers. This method of notification covers a very wide audience - in Russia, 73% of citizens aged 18 years and older use the Internet, of which 47% of respondents do it daily. In Europe, this figure is 60%.
DPI passes through itself and filters all traffic, so it has the ability to protect subscribers from spam bots (detected based on SMTP traffic analysis), DoS and DDoS attacks (detected by traffic anomalies), worms (detected by signatures) and spam ( overly large number of SMTP connections).
When protecting against DDoS attacks, various behavioral strategies are often used to detect deviations in the behavior of network users. DPI-systems simplify this task with the help of an effective approach - the Turing test (page with CAPTCHA), which allows you to determine whether a person or a computer makes a request to a resource.
The DPI system also protects against TCP SYN Flood and Fragmented UDP Flood attacks. The SYN Flood attack causes an increased consumption of resources of the attacked system. The system reserves certain resources in memory for each incoming SYN packet. If you “bomb” it with a large number of packets per second without sending an ACK packet, it becomes inaccessible. DPI detects that the SYN packet has exceeded the threshold and starts responding to them on its own, without “disturbing” the site.
As for the Fragmented UDP Flood attack, it is carried out by fragmented UDP packets, which the platform under attack is forced to spend a lot of resources on assembling and analyzing. DPI discards any protocols that are not relevant for the protected site or limits their bandwidth (only HTTP and HTTPS protocols remain for the website).
It is worth noting that DPI is able to work in conjunction with various DVOs , such as antispam, antivirus, video optimizers, etc. The solution is to divert some of the traffic falling under the criteria set by the administrator to third-party devices for deeper analysis and processing. .
Thus, the complex analysis of traffic can solve several important tasks at once: from optimizing uplink bandwidth and traffic prioritization to behavioral assessment of subscribers and protecting networks and sites from all sorts of attacks.
In the following materials, we plan to consider on which equipment you can implement all these functions, and compare the solutions of manufacturers of DPI systems.
PS We at VAS Experts specialize in the creation and implementation of services in the field of monitoring and analyzing Internet traffic. In our blog, we will share our own experience and talk about how these or other technologies related to our field of work are arranged.
/ Flickr / Yuri Samoilov / CC
1. Analysis and classification of traffic
The task of the DPI system is to classify and generate real-time traffic consumption reports by the application using signature sets and behavioral methods. Obtaining such information on the traffic classes of each subscriber allows you to rate it separately, for example, for Skype, Viber, etc. Also, DPI systems allow you to monitor the network status at OSI model 2–7 and protect it from overload.
2. Prioritize traffic
The most popular example of the need to prioritize traffic is the p2p protocol. When a user downloads files using this protocol, the quality of work of all the others — VOIP, HTTP, etc. — decreases, which leads to slow opening of pages, poor voice quality during calls, video slowdown. DPI-systems can solve this problem by simply reducing the priority of p2p traffic.
')
The graph shows how with a decrease in uncontrolled traffic torrent, increased the speed of HTTP
Another simple example of the need for prioritization is the increasingly popular online cinemas. As the video quality increases (720p, 1080p, 4K), the load on the operator’s channel increases.
For example, in March 2015 in Australia, Netflix traffic accounted for 25% of the total iiNet provider traffic 4 weeks after launch. In this vein, active traffic control and flexible setting of priorities allow ensuring decent operation of other sensitive services, slightly reducing the video quality at critical moments.
3. Optimization of uplinks
The operator is able to provide high quality in two ways: by increasing the width of the channel or by optimizing traffic. Traffic bursts are predictable, occur on certain days of the week and usually last no more than a few hours.
In connection with this, it may be unprofitable to increase the channel width - a too small “window” of activity. However, if you leave everything as it is, in hours of increased workload, subscribers will experience slow page loading and put up with poor voice communication.
About 50% of evening traffic is torrent, 20% - video, 30% - everything else. If you select the first type of traffic and lower its priority, the other protocols will work the same as at any other time. The need to increase the bandwidth of the channel will disappear by itself.
4. Caching
There is information on the Internet that many users find interesting and download at once. The cache server allows you to distribute it directly between users. This saves Internet traffic and increases the speed of access to information, since the speed of access to the cache is equal to the speed of the local network, and not the speed of access to the Internet.
For example, the cache server for our solution SCAT DPI allows you to cache video content of popular services such as YouTube, RuTube and vk.com, Windows updates, browsers, antiviruses and other software, as well as frequently repeating files (for example jquery libraries, pictures, etc.) P).
5. Behavioral assessment of subscribers
Each user goes on the Internet for a certain time, uses one of the browsers, sits on social networks, watches comedies or horrors. The DPI system is able to collect all this information (without violating the personal rights of the subscriber) and show it in a visual form to the operator. Knowing the user's preferred content, the operator gets the opportunity to adjust his traffic priority. Moreover, the most visited resources can also be cached.
6. Notification of subscribers
This feature allows the operator to send messages to the subscriber while the latter is working on the Internet. When a user enters a website address, he first sees in the browser a message from the operator, which is replaced by the requested page in a few seconds.
This message may contain a variety of information: on tariff changes, on the time of technical work, on special offers. This method of notification covers a very wide audience - in Russia, 73% of citizens aged 18 years and older use the Internet, of which 47% of respondents do it daily. In Europe, this figure is 60%.
7. Protection, interception of traffic
DPI passes through itself and filters all traffic, so it has the ability to protect subscribers from spam bots (detected based on SMTP traffic analysis), DoS and DDoS attacks (detected by traffic anomalies), worms (detected by signatures) and spam ( overly large number of SMTP connections).
When protecting against DDoS attacks, various behavioral strategies are often used to detect deviations in the behavior of network users. DPI-systems simplify this task with the help of an effective approach - the Turing test (page with CAPTCHA), which allows you to determine whether a person or a computer makes a request to a resource.
The DPI system also protects against TCP SYN Flood and Fragmented UDP Flood attacks. The SYN Flood attack causes an increased consumption of resources of the attacked system. The system reserves certain resources in memory for each incoming SYN packet. If you “bomb” it with a large number of packets per second without sending an ACK packet, it becomes inaccessible. DPI detects that the SYN packet has exceeded the threshold and starts responding to them on its own, without “disturbing” the site.
As for the Fragmented UDP Flood attack, it is carried out by fragmented UDP packets, which the platform under attack is forced to spend a lot of resources on assembling and analyzing. DPI discards any protocols that are not relevant for the protected site or limits their bandwidth (only HTTP and HTTPS protocols remain for the website).
It is worth noting that DPI is able to work in conjunction with various DVOs , such as antispam, antivirus, video optimizers, etc. The solution is to divert some of the traffic falling under the criteria set by the administrator to third-party devices for deeper analysis and processing. .
Thus, the complex analysis of traffic can solve several important tasks at once: from optimizing uplink bandwidth and traffic prioritization to behavioral assessment of subscribers and protecting networks and sites from all sorts of attacks.
In the following materials, we plan to consider on which equipment you can implement all these functions, and compare the solutions of manufacturers of DPI systems.
PS We at VAS Experts specialize in the creation and implementation of services in the field of monitoring and analyzing Internet traffic. In our blog, we will share our own experience and talk about how these or other technologies related to our field of work are arranged.
Source: https://habr.com/ru/post/313556/
All Articles