Escolar Documentos
Profissional Documentos
Cultura Documentos
Hendrik Schulze
ipoque
hendrik.schulze@ipoque.com
Tutorial Scope
What is DPI?
Definition
Applications
Technical Motivation
Application
Network behavior
Implications for DPI and analysis
2
Wednesday, December 19, 12
What is DPI?
3
Wednesday, December 19, 12
What is DPI?
4
Wednesday, December 19, 12
What is DPI?
5
Wednesday, December 19, 12
What is DPI?
Modified Definition:
Deep packet inspection (DPI) analyses all data of a packet
(headers and payload) as it passes an inspection point in order to
determine the protocol and/or application transported.
DPI provides meta-data of network trac
Meta-data is foundation of DPI applications
6
Wednesday, December 19, 12
Protocol Decoding
(Full Payload area Analysis FPA)
Meta-data Extraction
(Predetermined Payload area
Analysis PPA)
Protocol/Application Classification
7
Wednesday, December 19, 12
Security
NG Firewalls: Allow/Block Applications and Protocols
Virus scan only in sensitive trac
Network Probing
Statistics
Trac Interception
Test and Measurement
8
Wednesday, December 19, 12
Security
NG Firewalls: prevent security relevant actions
Network Probing
Statistics
Trac Interception
Quality Measurement
9
Wednesday, December 19, 12
10
Wednesday, December 19, 12
Protocol/Application Classification
12
Wednesday, December 19, 12
L7
Application
Data
L7
TCP/UDP Message
TCP/
UDP
TCP/UDP
Header
L7
Header
Application
Data
TCP/
UDP
Application
Data
IP
Application
Data
Link
IP Datagram
IP
Header
IP
TCP/UDP
Header
L7
Header
L2 Frame
Link
L2
Header
PHY
TCP/UDP
Header
L7
Header
PHY
13
Wednesday, December 19, 12
IP
Header
Application/Protocol Classification?
14
Wednesday, December 19, 12
15
Wednesday, December 19, 12
L7
Application
Data
L7
TCP/UDP Message
TCP/
UDP
TCP/UDP
Header
L7
Header
Application
Data
TCP/
UDP
Application
Data
IP
Application
Data
Link
IP Datagram
IP
Header
IP
TCP/UDP
Header
L7
Header
L2 Frame
Link
L2
Header
PHY
TCP/UDP
Header
L7
Header
PHY
16
Wednesday, December 19, 12
IP
Header
17
Wednesday, December 19, 12
Flow Tracking
18
Wednesday, December 19, 12
Pattern matching
19
Wednesday, December 19, 12
Pattern matching
Simple pattern matching
XXX
19
Wednesday, December 19, 12
Pattern matching
Simple pattern matching
XXX
19
Wednesday, December 19, 12
Pattern matching
Simple pattern matching
XXX
XXX
YYY
19
Wednesday, December 19, 12
ZZZ
Pattern matching
Simple pattern matching
XXX
XXX
YYY
Flow tracking mandatory
19
Wednesday, December 19, 12
ZZZ
Behavioral Analysis
short
long
short
short
three short packets
20
Wednesday, December 19, 12
short
Pattern Matching
21
Wednesday, December 19, 12
!
!
!
!
!
!
!
}
if(data buffer matches regexp for the protocol we're looking for)
! Mark the connection as identified;
! return true;
else
! return false;
23
Wednesday, December 19, 12
24
Wednesday, December 19, 12
Behavioral Analysis
Third basic DPI operation
Pattern matching impossible for encrypted trac
Instead, look at unencrypted patterns:
Packet sizes
Packet size sequences
Data rates
Packet rates
Number of concurrent flows
Flow arrival rate
25
Wednesday, December 19, 12
= 98%
26
Wednesday, December 19, 12
probability of misclassification
false negatives
false positives
too strict
too loose
27
Wednesday, December 19, 12
Example: Skype
Literature:
An Experimental Study of the Skype Peer-to-Peer VoIP System, Saikat Guha (Cornell University), Neil Daswani, Ravi Jain
(Google), 2/2006
Silver Needle in the Skype, Philippe Biondi, Fabrice Desclaux, EADS, Black Hat Europe 2006, 3/2006
Vanilla Skype (part 1+2), Fabrice Desclaux, Kostya Kortchinsky, EADS, RECON2006, 6/2006
An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol, Salman A. Baset and Henning Schulzrinne, Columbia
University, 1/2006
28
Wednesday, December 19, 12
Popularity
>500 million registered users by end of 2011
~30 million users simultaneously online
First half of 2010
88.4 billion Skype-to-Skype call minutes
6.4 billion minutes of calls to landlines and mobiles
40% video calls
29
Wednesday, December 19, 12
Technical Basics
30
Wednesday, December 19, 12
P2P architecture
Uses UDP and TCP, both for signaling and communication
No fixed ports
a UDP port is randomly selected at installation time and used for all
UDP data
HTTP and HTTPS ports (80 & 443) can be used
31
Wednesday, December 19, 12
32
Wednesday, December 19, 12
Supernodes
Supernodes (SN)
implement the Global Index, the Skype user directory
essential for the proper operation
33
Wednesday, December 19, 12
34
Wednesday, December 19, 12
Detection
35
Wednesday, December 19, 12
Skype v2.5.0.151
Skype v2.5.0.154
Skype v2.6.0.67
Skype v2.6.0.74
Skype v2.6.0.81
Skype v2.6.0.97
Skype v2.6.0.103
Skype v2.6.0.105
Skype v3.0.0.106
Skype v3.0.0.123
Skype v3.0.0.137
Skype v3.0.0.154
Skype v3.0.0.190
Skype v3.0.0.198
Skype v3.0.0.205
Skype v3.0.0.209
Skype v3.0.0.214
Skype v3.0.0.216
Skype v3.0.0.217
Skype v3.0.0.218
Skype v3.1.0.112
Skype v3.1.0.144
Skype v3.1.0.150
Skype v3.1.0.152
Skype v3.2.0.53
Skype v3.2.0.63
Skype v3.2.0.82
Skype v3.2.0.115
Skype v3.2.0.145
Skype v3.2.0.148
Skype v3.2.0.152
Skype v3.2.0.158
Skype v3.2.0.163
Skype v3.2.0.175
Skype v3.5.0.107
Skype v3.5.0.158
Skype v3.5.0.178
Skype v3.5.0.202
Skype v3.5.0.214
Skype v3.5.0.229
Skype v3.5.0.234
Skype v3.5.0.239
Skype v3.6.0.127
Skype v3.6.0.159
36
Wednesday, December 19, 12
37
Wednesday, December 19, 12
38
Wednesday, December 19, 12
39
Wednesday, December 19, 12
39
Wednesday, December 19, 12
39
Wednesday, December 19, 12
39
Wednesday, December 19, 12
39
Wednesday, December 19, 12
40
Wednesday, December 19, 12
40
Wednesday, December 19, 12
41
Wednesday, December 19, 12
Meta-data Extraction
Application Signature
Application Meta-data
XXX
43
Wednesday, December 19, 12
Application Signature
XXX
Application Meta-data
123
abc
43
Wednesday, December 19, 12
request
response
Web Server
Client Applications
44
Wednesday, December 19, 12
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
request
response
Web Server
Client Applications
44
Wednesday, December 19, 12
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
request
response
Web Server
Client Applications
44
Wednesday, December 19, 12
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
Response:
request
response
HTTP/1.1 200 OK
Date: Sun, 12 Feb 2012 10:37:02 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Sun, 12 Feb 2012 10:37:02 +0000
Content-Language: en
Web Server
Content-Type: text/html; charset=utf-8
[...]
<html>
[ html web site description ]
</html>
44
Client Applications
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
Response:
request
response
HTTP/1.1
HTTP/
200 OK
Date: Sun, 12 Feb 2012 10:37:02 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Sun, 12 Feb 2012 10:37:02 +0000
Content-Language: en
Web Server
Content-Type: text/html; charset=utf-8
[...]
<html>
[ html web site description ]
</html>
44
Client Applications
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
Response:
request
response
HTTP/1.1
1.1 200 OK
Date: Sun, 12 Feb 2012 10:37:02 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Sun, 12 Feb 2012 10:37:02 +0000
Content-Language: en
Web Server
Content-Type: text/html; charset=utf-8
[...]
<html>
[ html web site description ]
</html>
44
Client Applications
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
Response:
request
response
HTTP/1.1
1.1 200 OK
Date: Sun, 12 Feb 2012 10:37:02 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Sun, 12 Feb 2012 10:37:02 +0000
Content-Language: en
Web Server
Content-Type: text/html; charset=utf-8
[...]
<html>
[ html web site description ]
</html>
44
Client Applications
Flow Correlation
Control Channel
Data Channel
46
Wednesday, December 19, 12
SIP
RTP
47
Wednesday, December 19, 12
SIP Invite
INVITE sip:bob@biloxi.example.com SIP/2.0
[..]
From: Alice <sip:alice@atlanta.example.com>;tag=9fxced76sl
To: Bob <sip:bob@biloxi.example.com>
Call-ID: 3848276298220188511@atlanta.example.com
CSeq: 1 INVITE
SIP
Contact: <sip:alice@client.atlanta.example.com;transport=tcp>
Content-Type: application/sdp
Content-Length: 151
v=0
o=alice 2890844526 2890844526 IN IP4 client.atlanta.example.com
RTP
s=c=IN IP4 192.0.2.101
t=0 0
m=audio 49172 RTP/AVP 0
a=rtpmap:0 PCMU/8000
47
Wednesday, December 19, 12
SIP Invite
INVITE sip:bob@biloxi.example.com SIP/2.0
[..]
From: Alice <sip:alice@atlanta.example.com>;tag=9fxced76sl
To: Bob <sip:bob@biloxi.example.com>
Call-ID: 3848276298220188511@atlanta.example.com
CSeq: 1 INVITE
SIP
Contact: <sip:alice@client.atlanta.example.com;transport=tcp>
Content-Type: application/sdp
Content-Length: 151
v=0
o=alice 2890844526 2890844526 IN IP4 client.atlanta.example.com
RTP
s=c=IN IP4 192.0.2.101
t=0 0
m=audio 49172 RTP/AVP 0
a=rtpmap:0 PCMU/8000
47
Wednesday, December 19, 12
SIP
RTP
48
Wednesday, December 19, 12
SIP
RTP
48
Wednesday, December 19, 12
SIP
RTP
48
Wednesday, December 19, 12
Thank you!
Hendrik Schulze
hendrik.schulze@ipoque.com
49