Transcript Allot Communications - company presentation

Digging Deeper Into DPI
Network Visibility & Service Management
Jay Klein
May 2007
Outline
 Origins of the Problem
 Complexity
 DPI for Security vs. DPI for Application Control
 DPI - Glance through the basics
2
20 July 2015
Market Trends and Drivers: Bandwidth
 Broadband becoming ubiquitous
 High penetration rates (over 50% in
Korea, Taiwan, Holland and Canada)
 Over 50% of on-line households are BB
 Telcos are upgrading infrastructure:
 ADSL2+ (20-25Mbps)
 VDSL2 (20-30Mbps)
 FTTx
 Bandwidth per user is ramping up:
 BW expected to reach 20M by 2010
(source: IDC,2006)
3
20 July 2015
More
Bandwidth
More
Applications
Market Trends and Drivers: Applications
P2P
VoIP
Ents.
Online
Gaming
 Continue to be highly popular
 Average of 40-60% of overall BW
 More applications use encryption
 BitTorrent, eMule, Ares
 Content providers seem to adopt P2P
 Warner Bros to sell films via BitTorrent
 Scalability
4
20 July 2015
More
Bandwidth
More
Applications
Market Trends and Drivers: Applications
P2P
VoIP
Ents.
Online
Gaming
 Numerous Internet VoIP providers:
 Skype, Vonage, GoogleTalk,
Yahoo!Voice, Net2Phone
 VoBB subscribers increased rapidly in
2005/6
 More SPs offer Voice & Data services
bundled together
5
20 July 2015
More
Bandwidth
More
Applications
Market Trends and Drivers: Applications
P2P
VoIP
Ents.
Online
Gaming
 Usage of streaming applications
increasing dramatically
 YouTube – 100M videos/day
 Numerous new Web-TV services
launched
 BBC, In2TV etc.
 Skype to launch Venice Project – a Web
TV service
 Telcos launching IPTV services: Pay-TV
and VOD
 More than just a service differentiator
6
20 July 2015
More
Bandwidth
More
Applications
Market Trends and Drivers: Applications
P2P
VoIP
Ents.
Online
Gaming
 Consoles & PC offer “over the network”
gaming experience
 Stringent Bandwidth & Latency
requirements
7
20 July 2015
More
Bandwidth
More
Applications
The Complexity
 Numerous Applications - Many Protocols
 Same Application – Different Implementations
 Bittorrent has more than 30 different client implementations
 IM or VoIP may deliver the same experience but don’t use
similar protocols
 Evolving Architectures
 Skype evolved from Kazaa maintaining more or less the
network topology
 Joost (Venice Project) has just done the same
8
20 July 2015
The Complexity
 Mixture of Technologies, Diverse deployment scenarios
 Various Clients: PC, Smartphone, Gaming Console
 Client’s network surroundings: Firewall/NAT, Proxy
 Monitor or Traffic Shape
 Symmetric vs. Asymmetric
 Frequent Updates
 Can vary from twice a year to every month
 Easy to enforce upgrade policy with quick reaction time
 Typically will affect protocol format
9
20 July 2015
The Complexity
 Use of Encryption (Obfuscation)
 Primarily designed for counter measuring operator’s
throttling and monitoring efforts (eMule, Bittorrent)
 In some cases protect proprietary implementation
(Skype)
 Cannot generalize - Need to differentiate use
 “Good” (legit streaming, SW updates) vs. “Bad” (pirated
file sharing) P2P
 Need to recognize application subtleties for proper actions
 Example: MSN IM – block VoIP & Streaming, allow Chat
10
20 July 2015
DPI – Application Space vs. Security Space
 Comparable in the sense of “Deep”, “Packet” & “Inspection”
 Different Core Competence
 Similar tools yet different know-how
 Some “gray area” in the middle (e.g., basic DDoS)
 When DPI aimed at applications
 Applications = Services, typically “invited” by Operator, Enduser or both
 When DPI is aimed at security risks
 Risks = Weaknesses in Network & OS behavior
 Need to deal with hostile “applications”, “services”
11
20 July 2015
DPI – Application Space vs. Security Space
 DPI for Security - Inspects L3/4 and complements with L7
info if required
 DPI for Security often samples the data stream, indicates on
a trend & recommends on action
 When DPI is aimed at applications, starts at L7 , track & learn
the specific service
 DPI for Applications must examine each connection and
accurately identify & classify for any action beyond
monitoring
12
20 July 2015
Packet Inspection
 Analyze encapsulated content in packet’s header
and payload
 Content may be spread over many packets
 Different research and analysis tools are combined
 The end result – a library of “signatures”
 For each protocol/application a “Unique”
Fingerprint set is found
 Signatures may change over time
13
20 July 2015
False Positives
 The likelihood that application connections are
caught by signatures of other applications
 Some traffic is misidentified / misclassified
 Signatures are too weak
 Reason: Different protocols exhibit similar
behavior or data patterns
 Strengthen signature by combing several
techniques leading to a complex & robust
signature
 Target 0% FP for controlling purposes
14
20 July 2015
False Negatives
 The likelihood that application connections are not
caught by their designated signatures
 End result – some portion of the suspected
application traffic is not detected
 Why? Signatures don’t cover all protocol
occurrences
 Examples:
 IM = Chat, Streaming, Gaming, VoIP…
 Environment – Proxy, NAT
15
20 July 2015
Analysis by Port
 Reasoning:
 Many applications and protocols use a default
port
 Example: email
 Incoming POP3: 110 (995 if using SSL)
 Outgoing SMTP: 25
 The Good - It’s easy, The Bad - It’s too easy
 Many applications disguise themselves (e.g.,
Port 80)
 Port hopping  large range, overlapping apps
18
20 July 2015
Analysis by String Match
 Reasoning:
 Many applications have pure textual identifiers
 Easy to search for
 Very easy if in a specific location within a packet
 Uniqueness not always guaranteed
19
20 July 2015
String Match Example
20
20 July 2015
Analysis by Numerical Properties
 Property is not only content:
 Packet size
 Payload/message length
 Position within packet
 In some cases sparse and spread over several
packets
21
20 July 2015
Example: Sparse Match
Identifying John Doe Protocol
22
Connection #1
35
8A
27
7F
Connection #2
15
82
98
71
Connection #3
A5
80
72
7F
Connection #4
95
88
8A
7F
20 July 2015
Skype (Older Versions): Finding a TCP Connection
Client
UDP Messages
N+8
18 byte message
Evolution
11 byte message
N+8+5
23 byte message
Either 18, 51 or 53 byte message
23
20 July 2015
Server
Behavior and Heuristic Analysis
 Behavior = the way in which something functions or
operates
 Heuristic = problem-solving by experimental and
especially trial-and-error methods
 OK, but what does this mean? Examples:
 Statistics: on average payload size is between X to Y
 Actions: Login using TCP connection followed by a
UDP connection on subsequent port number
 Extremely effective analysis when application uses
encryption
24
20 July 2015
Example: HTTP vs. BitTorrent (Handshake)
25
20 July 2015
DPI in Real Life
 Network Visibility – The key for understanding how
bandwidth is utilized
 Which application?
 Which user?
 When? Where?
 Traffic Management (Application Control)
 Block
 Shape (limit, QoS, QoE)
 Service Management (Subscriber Control)
 Associate connection (IP X.Y.Z.W) with a user and its
service use policy
26
20 July 2015
Example - What’s Happening On the Network?
P2P Virtual Channel
congested
Drill down to find out what’s
creating excessive traffic
Graph shows that
eDonkey is congesting
traffic
Drill down to find out who
is using this application
Heavy bandwidth user
identified precisely!
27
20 July 2015
Thank You
28
20 July 2015