DPI Setting Features

This article does not discuss the full DPI setting and everything related together, and the scientific value of the text is minimal. But it describes the simplest way to bypass DPI, which many companies have not taken into account.

image

Warning No. 1: this article is research in nature, does not encourage anyone to do anything and use. The idea is based on personal experience, and any coincidences are random.

Warning # 2: the article does not reveal the secrets of Atlantis, the search for the Holy Grail and other mysteries of the universe, all material is in the public domain and may have been described more than once on Habré. (I did not find it, I will be grateful for the link)

For those who read the warnings, let's start.

What is DPI?


DPI or Deep Packet Inspection - a technology for accumulating statistical data, checking and filtering network packets analyzing not only packet headers, but also the full content of traffic at the OSI model levels from the second and higher, which allows you to detect and block viruses, filter information that does not meet specified criteria .

There are two types of DPI connections described by ValdikSS on github :
Passive DPI

DPI connected to the provider network in parallel (not in the cut) either through a passive optical splitter or using mirroring of the traffic coming from users. Such a connection does not slow down the speed of the provider’s network in case of insufficient DPI performance, which is why it is used by large providers. DPI with this type of connection can technically only detect an attempt to request prohibited content, but not stop it. To circumvent this restriction and block access to the forbidden site, DPI sends a specially crafted HTTP packet to the user requesting the blocked URL with a redirect to the provider stub page, as if the requested resource itself had sent such a response (the sender’s IP address and TCP sequence are forged). Due to the fact that the DPI is physically located closer to the user,

Active DPI

Active DPI - DPI connected to the provider's network in the usual way, like any other network device. The provider configures the routing so that the DPI receives traffic from users to blocked IP addresses or domains, and the DPI already decides to allow or block traffic. Active DPI can check both outgoing and incoming traffic, however, if the provider uses DPI only to block sites from the registry, most often it is configured to scan only outgoing traffic.

Not only the blocking efficiency of traffic, but also the DPI load depends on the type of connection, so there is the possibility not to check all traffic, but only certain:
“Normal” DPI “Normal” DPI

means a DPI that filters a certain type of traffic on only the most common ports for this type. For example, a “normal” DPI detects and blocks prohibited HTTP traffic only on port 80, and HTTPS traffic on port 443. This type of DPI will not track prohibited content if you send a request with a blocked URL to an unblocked IP or non-standard port.

“Full” DPI

Unlike “normal” DPI, this type of DPI classifies traffic regardless of IP address and port. Thus, blocked sites will not open even if you use a proxy server on a completely different port and an unblocked IP address.

DPI usage


In order not to reduce the data transfer rate, you need to use the "Normal" passive DPI, which allows you to effectively? block any? resources, the default configuration looks like this:

  • HTTP filter on port 80 only
  • HTTPS on port 443 only
  • BitTorrent only on 6881-6889 ports

But problems begin, if the resource uses a different port so as not to lose users , then you will have to check each package, for example, you can cite:

  • HTTP works on port 80 and 8080
  • HTTPS on port 443 and 8443
  • BitTorrent on any other band

Because of this, you will either have to switch to Active DPI, or use blocking using an additional DNS server.

DNS blocking


One way to block access to a resource is to intercept a DNS query using a local DNS server and return the IP address of the “stub” to the user, rather than the required resource. But this does not give a guaranteed result, since it is possible to prevent address spoofing:

Option 1: Editing the hosts file (for the desktop)

The hosts file is an integral part of any operating system, which allows you to always use it. To access the resource, the user must:

  1. Find the IP address of the required resource
  2. Open the hosts file for editing (administrator rights are required) located in:
    • Linux: / etc / hosts
    • Windows:% WinDir% \ System32 \ drivers \ etc \ hosts
  3. Add a line in the format: <resource name>
  4. Save changes

The advantage of this method is its complexity and the requirements for having administrator rights.

Option 2: DoH (DNS over HTTPS) or DoT (DNS over TLS)

These methods protect the DNS query from spoofing using encryption, but the implementation is not supported by all applications. Consider the ease of configuring DoH for Mozilla Firefox version 66 by the user:

  1. Go to about: config in Firefox
  2. Confirm that the user assumes all risk
  3. Change the value of the network.trr.mode parameter to:
    • 0 - disable TRR
    • 1 - automatic selection
    • 2 - enable DoH by default
  4. Change the network.trr.uri parameter by selecting the DNS server
  5. Change the network.trr.boostrapAddress parameter to:
    • If Cloudflare DNS is selected: 1.1.1.1
    • If Google DNS is selected: 8.8.8.8
  6. Change the value of the network.security.esni.enabled parameter to true
  7. Verify settings using Cloudflare

Although this method is more complex, it does not require administrator rights for the user, and there are many other ways to protect a DNS query that are not described in this article.

Option 3 (for mobile devices):

Using the application from Cloudflare for Android and IOS .

Testing


To check the lack of access to resources, a domain blocked on the territory of the Russian Federation was temporarily purchased:

  • HTTP check + 80 port
  • HTTP check + 8080 port
  • Check HTTPS + 443 port
  • Check HTTPS + 8443 port

Conclusion


I hope this article will be useful and will not only encourage administrators to understand the topic in more detail, but will also give an understanding that resources will always be on the user's side, and the search for new solutions should be an integral part for them.

useful links



Addition outside the article
The Cloudflare test cannot be passed on the Tele2 network, and a properly configured DPI will block access to the test site.
PS So far, this is the first provider to correctly block resources.

Also popular now: