What is deep packet inspection?
DPI is often used to block malware, but can affect how your VPN works
The best VPNs protect your online activity by encrypting your internet connection, making it harder for external parties to track or control your data. However, some internet providers and organizations use a technology called deep packet inspection (DPI) to examine the data traveling across their networks.
This technique gives a network operator massive amounts of information about the traffic that travels across their network, which allows them to easily identify intrusions, malware, and distributed denial of service (DDoS) attacks. However, DPI can also be used to detect and block VPN traffic. In this guide, I’ll walk you through what deep packet inspection is, how it works, and what you can do to keep your VPN working even when DPI systems are trying to close your connection.
NordVPN: the best VPN overall
We rate NordVPN as the best VPN overall, thanks to its excellent privacy, rapid speeds, and class-leading streaming support. It also offers special servers to avoid deep packet inspection. Plans start from a reasonable $3.09 per month, and there's also a 30-day money-back guarantee to make sure it's right for you.
What is deep packet inspection?
Deep packet inspection is a form of network packet filtering that allows for detailed examination of data packets as they move through a network. A data packet is a small unit of data sent over a network, and it contains two main parts: the header and the payload. The header tells the network infrastructure where the packet is going and how to interpret it, while the payload contains the actual data being transferred.
DPI works by inspecting both the header and payload, allowing network administrators to analyze the content of the packet beyond just the surface information. Unlike basic packet filtering, which uses static rules to allow or deny traffic, DPI examines the actual content and can infer context about the traffic that allows a network administrator to manage traffic in a variety of ways.
There are plenty of reasons a network admin might want to implement DPI in their infrastructure, mostly surrounding security. For example, DPI can help a network admin engage in malware protection by looking for malware signatures within data packets. They’d then be able to immediately block the malware from communicating with any external parties and begin tracing the packet route back through the network to the compromised machine. It’s possible to take the same approach for data exfiltration or DDoS attacks, massively increasing the speed with which a capable security team can locate and mitigate threats.
DPI also allows for effective content filtering. A business might want to restrict access to certain websites or protect against popular malware vectors like online ads, which DPI helps with by analyzing and blocking requests to particular domains. A basic firewall or online proxy can achieve the same effect by banning URLs, but the difference with DPI is the depth with which you can analyze traffic for banned content, even allowing for dynamic blocking of certain keywords.
How does deep packet inspection work?
Deep packet inspection works by examining both the header and payload of each of the data packets that travel through a network. DPI analyzes each packet that passes through its filters to make sure it complies with certain rules. These rules can range from basic stuff like an IP blocklist, or a protocol blocklist, to advanced rules like detecting spam in email or dynamically identifying malware based on an overall traffic pattern of life.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
As a packet travels through the network, it passes through an inspection point where DPI occurs. Usually, this is a network switch that either copies all of the traffic heading through it and broadcasts it to a dedicated device that performs DPI, or a network tap that sits between two devices and passively analyzes the traffic that flows through it.
Either way, all of the traffic that passes through the DPI point is being analyzed. DPI reads the packet’s header to see where it’s going and checks the payload to see what kind of data it contains (e.g., video stream, email, malware). The DPI system can then block the packet if it contains undesirable content, reroute the packet if traffic needs optimization, or simply allow the packet to pass through if everything checks out.
For example, DPI might identify that a VoIP call is in progress and reroute that traffic to dedicated low-latency servers to preserve the quality of the call. Conversely, DPI might also identify that a traffic stream is BitTorrent traffic and lower the priority of the packets passing through the network in favor of other protocols like HTTP.
However, one of the biggest issues we’re concerned about is the relationship between DPI and VPNs, which are easily blocked by most DPI systems.
Can you prevent detection by deep packet inspection?
If you’re using a secure VPN to protect your privacy, or one of the best streaming VPNs to bypass content restrictions in countries where internet surveillance is mandated by law, you’re most likely going to run into DPI being used to block your VPN connection.
This is because the ISP you’re using can’t read your VPN traffic, so they do the next best thing: blocking the connection so you’re forced to fall back onto a non-encrypted connection where they can read the network traffic again.
Most VPN protocols, like OpenVPN and WireGuard, openly signal that they are encrypting traffic by advertising the protocol in the packet header. Although they ensure data is secure by encrypting it, they don’t hide the fact that it’s a VPN connection.
That said, there are ways to prevent DPI from detecting your VPN. Some VPN services offer advanced features designed specifically to evade DPI, but there are some small differences in how they work. What you’re most likely to encounter is something called an "obfuscated protocol," such as Shadowsocks, which was designed to be used by the best VPNs for China, to evade China’s Great Firewall.
Obfuscation is the act of hiding the fact that you're using a VPN at all. What they do is wrap your encrypted VPN traffic in a second layer of encryption designed to look like regular HTTPS traffic. This means that from the ISPs perspective, all you’re doing is connecting to an encrypted website and sending traffic back and forth with it.
There’s no characteristic VPN protocol header to identify, so the DPI system can’t block it. Shadowsocks specifically is an add-on to the OpenVPN protocol, but there are other projects out there working on obfuscating the WireGuard protocol too.
While some providers like Private Internet Access offer this feature as a separate protocol you can connect with, other providers like NordVPN use obfuscated servers instead. There isn’t a terrible amount of difference in the technical approach, but you’re less likely to get hit with an IP ban while using an obfuscated server as they’re specifically designed to only carry obfuscated traffic. This means that it’s harder for an ISP to work out the IP you’re connecting to is actually a VPN server.
Sam Dawson is a cybersecurity expert who has over four years of experience reviewing security-related software products. He focuses his writing on VPNs and security, previously writing for ProPrivacy before freelancing for Future PLC's brands, including TechRadar. Between running a penetration testing company and finishing a PhD focusing on speculative execution attacks at the University of Kent, he still somehow finds the time to keep an eye on how technology is impacting current affairs.