DOCSLIB.ORG

Space Efficient Deep Packet Inspection of Compressed Web Traffic

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Space Efficient Deep Packet Inspection of Compressed Web Traffic Yehuda Afeka, Anat Bremler-Barrb,1, Yaron Korala,∗ aBlavatnik School of Computer Sciences Tel-Aviv University, Israel bComputer Science Dept. Interdisciplinary Center, Herzliya, Israel Abstract In this paper we focus on the process of deep packet inspection of compressed web traffic. The major limiting factor in this process imposed by the compression, is the high memory requirements of 32KB per connection. This leads to the requirements of hundreds of megabytes to gigabytes of main memory on a multi-connection setting. We introduce new algorithms and techniques that drastically reduce this space requirement for such bump-in-the-wire devices like security and other content based networking tools. Our proposed scheme improves both space and time performance by almost 80% and over 40% respectively, thus making real-time compressed traffic inspection a viable option for networking devices. Keywords: pattern matching, compressed http, network security, deep packet inspection 1. Introduction within the last 32KB of the text. Therefore, the decom- pression process requires a 32KB buffer of the recent Compressing HTTP text when transferring pages decompressed data to keep all possible bytes that might over the web is in sharp increase motivated mostly by be back-referenced by the pointers, what causes a major the increase in web surfing over mobile devices. Sites space penalty. Considering today’s mid-range firewalls such as Yahoo!, Google, MSN, YouTube, Facebook and which are built to support 100K to 200K concurrent others use HTTP compression to enhance the speed connections, keeping a buffer for the 32KB window for of their content download. In Section 7.2 we provide each connection occupies few gigabytes of main mem- statistics on the percentage of top sites using HTTP ory. Decompression causes also a time penalty but the Compression. Among the top 1000 most popular sites time aspect was successfully reduced in [1]. 66% use HTTP compression (see Figure 5). The stan- This high memory requirement leaves the vendors dard compression method used by HTTP 1.1 is GZIP. and network operators with three bad options: either ig- This sharp increase in HTTP compression presents nore compressed traffic, or forbid compression, or divert new challenges to networking devices, such as the compressed traffic for offline processing. Obviously intrusion-prevention system (IPS), content filtering and neither is acceptable as they present a security hole or web-application firewall (WAF), that inspect the con- serious performance degradation. tent for security hazards and balancing decisions. Those devices reside between the server and the client and The basic structure of our approach is to keep the ff perform Deep Packet Inspection (DPI). Upon receiving 32KB bu er of all connections compressed, except for compressed traffic the networking device needs first to the data of the connection whose packet(s) is now be- decompress the message in order to inspect its payload. ing processed. Upon packet arrival, unpack its connec- ff We note that GZIP replaces repeated strings with back- tion bu er and process it. One may na¨ıvely suggest references, denoted as pointers, to their prior occurrence to just keep the appropriate amount of original com- pressed data as it was received. However this approach fails since the buffer would contain recursive pointers ∗Corresponding author to data more than 32KB backwards. Our technique, Email addresses: [email protected] (Yehuda Afek), called “Swap Out-of-boundary Pointers” (SOP), packs [email protected] (Anat Bremler-Barr), the buffer’s connection by combining recent informa- [email protected] (Yaron Koral) 1Supported by European Research Council (ERC) Starting Grant tion from both compressed and uncompressed 32KB no. 259085. buffer to create the new compressed buffer that contains Preprint submitted to Computer Communications September 9, 2012 pointers that refer only to locations within itself. We LZ77 Compression [4]- The purpose of LZ77 is to show that by employing our technique for DPI on real reduce the string presentation size, by spotting repeated life data we reduce the space requirement by a factor strings within the last 32KB of the uncompressed data. of 5 with a time penalty of 26%. Notice that while our The algorithm replaces a repeated string by a backward- method modifies the compressed data locally, it is trans- pointer consisting of a (distance,length) pair, where dis- parent to both the client and the server. tance is a number in [1,32768] (32K) indicating the We further design an algorithm that combines our distance in bytes of the string and length is a number SOP technique that reduces space with the ACCH al- in [3,258] indicating the length of the repeated string. gorithm which was presented in [1] (method that accel- For example, the text: ‘abcdeabc’ can be compressed erates the pattern matching on compressed HTTP traf- to: ‘abcde(5,3)’; namely, “go back 5 bytes and copy 3 fic). The combined algorithm achieves an improvement bytes from that point”. LZ77 refers to the above pair as of 42% on the time and 79% on the space requirements. “pointer” and to uncompressed bytes as “literals”. The time-space tradeoff presented by our technique pro- Huffman Coding [5]- Recall that the second stage of vides the first solution that enables DPI on compressed GZIP is the Huffman coding, that receives the LZ77 traffic in wire speed for network devices such as IPS and symbols as input. The purpose of Huffman coding is WAF. to reduce the symbol coding size by encoding frequent The paper is organized as follows: A background on symbols with fewer bits. The Huffman coding method compressed web traffic and DPI is presented in Section builds a dictionary that assigns to symbols from a given 2. An overview on the related work appears in Section alphabet a variable-size codeword (coded symbol). The 3. An overview on the challenges in performing DPI on codewords are coded such that no codeword is a prefix compressed traffic appears in Section 4. In Section 5 we of another so the end of each codeword can be easily de- describe our SOP algorithm and in Section 6 we present termined. Dictionaries are constructed to facilitate the the combined algorithm for the entire DPI process. Sec- translation of binary codewords to bytes. tion 7 describes the experimental results for the above In the case of GZIP, Huffman encodes both literals algorithms and concluding remarks appear in Section 8. and pointers. The distance and length parameters are Preliminary abstract of this paper was published in treated as numbers, where each of those numbers is the proceedings of IFIP Networking 2011 [2]. coded with a separate codeword. The Huffman dictio- nary which states the encoding of each symbol, is usu- 2. Background ally added to the beginning of the compressed file (oth- erwise a predefined dictionary is selected). In this section we provide background on compressed The Huffman decoding process is relatively fast. A HTTP and DPI and its time and space requirements. common implementation (cf. zlib [6]) extracts the dic- This helps us in explaining the considerations behind tionary, with average size of 200B, into a temporary the design of our algorithm and is supported by our ex- lookup-table that resides in the cache. Frequent sym- perimental results described in Section 7. bols require only one lookup-table reference, while less Compressed HTTP: HTTP 1.1 [3] supports the us- frequent symbols require two lookup-table references. age of content-codings to allow a document to be com- Deep packet inspection (DPI): DPI is the process of pressed. The RFC suggests three content-codings: identifying signatures (patterns or regular expressions) GZIP, COMPRESS and DEFLATE. In fact, GZIP uses in the packet payload. Today, the performance of secu- DEFLATE as its underlying compression protocol. For rity tools is dominated by the speed of the underlying the purpose of this paper they are considered the same. DPI algorithms [7]. The two most common algorithms Currently GZIP and DEFLATE are the common cod- to perform string matching are the Aho-Corasick (AC) ings supported by current browsers and web servers.2 [8] and Boyer-Moore (BM) [9] algorithms. The BM The GZIP algorithm uses a combination of the fol- algorithm does not have deterministic time complexity lowing compression techniques: first the text is com- and is prone to denial-of-service attacks using tailored pressed with the LZ77 algorithm and then the output is input as discussed in [10]. Therefore the AC algorithm compressed with the Huffman coding. Let us elaborate is the standard. The implementations need to deal with on the two algorithms: thousands of signatures. For example, ClamAV [11] virus-signature database contains 27 000 patterns, and the popular Snort IDS [12] has 6 600 patterns; note that 2Analyzing captured packets from last versions of both Internet Explorer, FireFox and Chrome browsers shows that accept only the typically the number of patterns considered by IDS sys- GZIP and DEFLATE codings. tems grows quite rapidly over time. 2 In Section 6 we provide an algorithm that combines the pattern matching task on compressed traffic and did our SOP technique with a Aho-Corasick based DPI al- not handle the space problem, and it still requires the gorithm. The Aho-Corasick algorithm relies on an un- decompression. We show in Section 6 that our paper derlying Deterministic Finite Automaton (DFA) to sup- can be combined with the techniques of [1] to achieve port all required patterns. A DFA is represented by a a fast pattern matching algorithm for compressed traf- “five-tuple” consisting of a finite set of states, a finite set fic, with moderate space requirement.
Recommended publications
  • Application Profile Avi Networks — Technical Reference (16.3)

    Application Profile Avi Networks — Technical Reference (16.3)

    Page 1 of 12 Application Profile Avi Networks — Technical Reference (16.3) Application Profile view online Application profiles determine the behavior of virtual services, based on application type. The application profile types and their options are described in the following sections: HTTP Profile DNS Profile Layer 4 Profile Syslog Profile Dependency on TCP/UDP Profile The application profile associated with a virtual service may have a dependency on an underlying TCP/UDP profile. For example, an HTTP application profile may be used only if the TCP/UDP profile type used by the virtual service is set to type TCP Proxy. The application profile associated with a virtual service instructs the Service Engine (SE) to proxy the service's application protocol, such as HTTP, and to perform functionality appropriate for that protocol. Application Profile Tab Select Templates > Profiles > Applications to open the Application Profiles tab, which includes the following functions: Search: Search against the name of the profile. Create: Opens the Create Application Profile popup. Edit: Opens the Edit Application Profile popup. Delete: Removes an application profile if it is not currently assigned to a virtual service.Note: If the profile is still associated with any virtual services, the profile cannot be removed. In this case, an error message lists the virtual service that still is referencing the application profile. The table on this tab provides the following information for each application profile: Name: Name of the Profile. Type: Type of application profile, which will be either: DNS: Default for processing DNS traffic. HTTP: Default for processing Layer 7 HTTP traffic.
  • SSL/TLS Implementation CIO-IT Security-14-69

    SSL/TLS Implementation CIO-IT Security-14-69

    DocuSign Envelope ID: BE043513-5C38-4412-A2D5-93679CF7A69A IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 Revision 6 April 6, 2021 Office of the Chief Information Security Officer DocuSign Envelope ID: BE043513-5C38-4412-A2D5-93679CF7A69A CIO-IT Security-14-69, Revision 6 SSL/TLS Implementation VERSION HISTORY/CHANGE RECORD Person Page Change Posting Change Reason for Change Number of Number Change Change Initial Version – December 24, 2014 N/A ISE New guide created Revision 1 – March 15, 2016 1 Salamon Administrative updates to Clarify relationship between this 2-4 align/reference to the current guide and CIO-IT Security-09-43 version of the GSA IT Security Policy and to CIO-IT Security-09-43, IT Security Procedural Guide: Key Management 2 Berlas / Updated recommendation for Clarification of requirements 7 Salamon obtaining and using certificates 3 Salamon Integrated with OMB M-15-13 and New OMB Policy 9 related TLS implementation guidance 4 Berlas / Updates to clarify TLS protocol Clarification of guidance 11-12 Salamon recommendations 5 Berlas / Updated based on stakeholder Stakeholder review / input Throughout Salamon review / input 6 Klemens/ Formatting, editing, review revisions Update to current format and Throughout Cozart- style Ramos Revision 2 – October 11, 2016 1 Berlas / Allow use of TLS 1.0 for certain Clarification of guidance Throughout Salamon server through June 2018 Revision 3 – April 30, 2018 1 Berlas / Remove RSA ciphers from approved ROBOT vulnerability affected 4-6 Salamon cipher stack
  • Poster: Introducing Massbrowser: a Censorship Circumvention System Run by the Masses

    Poster: Introducing Massbrowser: a Censorship Circumvention System Run by the Masses

    Poster: Introducing MassBrowser: A Censorship Circumvention System Run by the Masses Milad Nasr∗, Anonymous∗, and Amir Houmansadr University of Massachusetts Amherst fmilad,[email protected] ∗Equal contribution Abstract—We will present a new censorship circumvention sys- side the censorship regions, which relay the Internet traffic tem, currently being developed in our group. The new system of the censored users. This includes systems like Tor, VPNs, is called MassBrowser, and combines several techniques from Psiphon, etc. Unfortunately, such circumvention systems are state-of-the-art censorship studies to design a hard-to-block, easily blocked by the censors by enumerating their limited practical censorship circumvention system. MassBrowser is a set of proxy server IP addresses [14]. (2) Costly to operate: one-hop proxy system where the proxies are volunteer Internet To resist proxy blocking by the censors, recent circumven- users in the free world. The power of MassBrowser comes from tion systems have started to deploy the proxies on shared-IP the large number of volunteer proxies who frequently change platforms such as CDNs, App Engines, and Cloud Storage, their IP addresses as the volunteer users move to different a technique broadly referred to as domain fronting [3]. networks. To get a large number of volunteer proxies, we This mechanism, however, is prohibitively expensive [11] provide the volunteers the control over how their computers to operate for large scales of users. (3) Poor QoS: Proxy- are used by the censored users. Particularly, the volunteer based circumvention systems like Tor and it’s variants suffer users can decide what websites they will proxy for censored from low quality of service (e.g., high latencies and low users, and how much bandwidth they will allocate.
  • Brocade Vyatta Network OS ALG Configuration Guide, 5.2R1

    Brocade Vyatta Network OS ALG Configuration Guide, 5.2R1

    CONFIGURATION GUIDE Brocade Vyatta Network OS ALG Configuration Guide, 5.2R1 Supporting Brocade 5600 vRouter, VNF Platform, and Distributed Services Platform 53-1004711-01 24 October 2016 © 2016, Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, and MyBrocade are registered trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands, product names, or service names mentioned of Brocade Communications Systems, Inc. are listed at www.brocade.com/en/legal/ brocade-Legal-intellectual-property/brocade-legal-trademarks.html. Other marks may belong to third parties. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it. The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.
  • Protecting Encrypted Cookies from Compression Side-Channel Attacks

    Protecting Encrypted Cookies from Compression Side-Channel Attacks

    Protecting encrypted cookies from compression side-channel attacks Janaka Alawatugoda1, Douglas Stebila1;2, and Colin Boyd3 1 School of Electrical Engineering and Computer Science, 2 School of Mathematical Sciences 1;2 Queensland University of Technology, Brisbane, Australia [email protected],[email protected] 3 Department of Telematics, Norwegian University of Science and Technology, Trondheim, Norway [email protected] December 28, 2014 Abstract Compression is desirable for network applications as it saves bandwidth; however, when data is compressed before being encrypted, the amount of compression leaks information about the amount of redundancy in the plaintext. This side channel has led to successful CRIME and BREACH attacks on web traffic protected by the Transport Layer Security (TLS) protocol. The general guidance in light of these attacks has been to disable compression, preserving confidentiality but sacrificing bandwidth. In this paper, we examine two techniques|heuristic separation of secrets and fixed-dictionary compression|for enabling compression while protecting high-value secrets, such as cookies, from attack. We model the security offered by these techniques and report on the amount of compressibility that they can achieve. 1This is the full version of a paper published in the Proceedings of the 19th International Conference on Financial Cryptography and Data Security (FC 2015) in San Juan, Puerto Rico, USA, January 26{30, 2015, organized by the International Financial Cryptography Association in cooperation with IACR. 1 Contents 1 Introduction 3 2 Definitions 6 2.1 Encryption and compression schemes.........................6 2.2 Existing security notions................................7 2.3 New security notions..................................7 2.4 Relations and separations between security notions.................8 3 Technique 1: Separating secrets from user inputs9 3.1 The scheme.......................................9 3.2 CCI security of basic separating-secrets technique.................
  • A Comprehensive Study of the BREACH A8ack Against HTTPS

    A Comprehensive Study of the BREACH A8ack Against HTTPS

    A Comprehensive Study of the BREACH A8ack Against HTTPS Esam Alzahrani, JusCn Nonaka, and Thai Truong 12/03/13 BREACH Overview Browser Reconnaissance and Exfiltraon via AdapCve Compression of Hypertext Demonstrated at BlackHat 2013 by Angelo Prado, Neal Harris, and Yoel Gluck • Chosen plaintext aack against HTTP compression • Client requests a webpage, the web server’s response is compressed • The HTTP compression may leak informaon that will reveal encrypted secrets about the user Network Intrusion DetecCon System Edge Firewall Switch Router DMZ Clients A8acker (Vicm) 2 BREACH Requirements Requirements for chosen plain text (side channel) aack • The web server should support HTTP compression • The web server should support HTTPS sessions • The web server reflects the user’s request • The reflected response must be in the HTML Body • The aacker must be able to measure the size of the encrypted response • The aacker can force the vicCm’s computer to send HTTP requests • The HTTP response contains secret informaon that is encrypted § Cross Site Request Forgery token – browser redirecCon § SessionID (uniquely idenCfies HTTP session) § VIEWSTATE (handles mulCple requests to the same ASP, usually hidden base64 encoded) § Oath tokens (Open AuthenCcaon - one Cme password) § Email address, Date of Birth, etc (PII) SSL/TLS protocol structure • X.509 cerCficaon authority • Secure Socket Layer (SSL) • Transport Layer Security (TLS) • Asymmetric cryptography for authenCcaon – IniCalize on OSI layer 5 (Session Layer) – Use server public key to encrypt pre-master
  • Managed Firewalls

    Managed Firewalls

    DEDICATED HOSTING PRODUCT OVERVIEW MANAGED FIREWALLS Securing your network from malicious activity. Rackspace delivers expertise and service for the world’s leading clouds and technologies. TRUST RACKSPACE And we can help secure your dedicated servers and your cloud, with firewalls from Cisco® and • A leader in the 2017 Gartner Magic Quadrant Juniper Networks — fully supported around the clock by certified Rackspace engineers. Your for Public Cloud Infrastructure Managed Service firewall is dedicated completely to your environment for the highest level of network security Providers, Worldwide and connectivity, and includes access to our Firewall Manager and our One-Hour Hardware • Hosting provider for more than half of the Replacement Guarantee. Fortune 100 • 16+ years of hosting experience WHY RACKSPACE FOR DEDICATED, FULLY MANAGED FIREWALLS? • Customers in 150+ countries You have valuable and confidential information stored on your dedicated and cloud servers. Dedicated firewalls from Cisco and Juniper Networks add an additional layer of security to your servers, helping to stop potentially malicious packets from ever reaching your network. “RACKSPACE’S SECURITY CONTROLS AND REPUTATION AS AN SSAE 16 CERTIFIED KEY BENEFITS PROVIDER HAS BEEN A Highest level of security: Help protect your data and stop potentially malicious packets TREMENDOUS FACTOR IN OUR from entering your network with an IPSec, and Common Criteria EAL4 evaluation status certified firewall. SUCCESS.” DAVID SCHIFFER :: FOUNDER AND PRESIDENT, Expertise: Rackspace security experts fully manage your firewalls 24x7x365. Consult with SAFE BANKING SYSTEMS CISSP-certified security engineers to assess and architect your firewalls to help you meet your security and compliance requirements. Visibility and control: Help protect your infrastructure with deep packet inspection of traffic based on traffic filtering rules you define.
  • A Perfect CRIME?

    A Perfect CRIME?

    AA PerfectPerfect CRIME?CRIME? OnlyOnly TIMETIME WillWill TellTell Tal Be'ery, Amichai Shulman i ii Table of Contents 1. Abstract ................................................................................................................ 4 2. Introduction to HTTP Compression ................................................................. 5 2.1 HTTP compression and the web .............................................................................................. 5 2.2 GZIP ........................................................................................................................................ 6 2.2.1 LZ77 ................................................................................................................................ 6 2.2.2 Huffman coding ............................................................................................................... 6 3. CRIME attack ..................................................................................................... 8 3.1 Compression data leaks ........................................................................................................... 8 3.2 Attack outline ........................................................................................................................... 8 3.3 Attack example ........................................................................................................................ 9 4. Extending CRIME ............................................................................................
  • Randomized Lempel-Ziv Compression for Anti-Compression Side-Channel Attacks

    Randomized Lempel-Ziv Compression for Anti-Compression Side-Channel Attacks

    Randomized Lempel-Ziv Compression for Anti-Compression Side-Channel Attacks by Meng Yang A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied Science in Electrical and Computer Engineering Waterloo, Ontario, Canada, 2018 c Meng Yang 2018 I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. ii Abstract Security experts confront new attacks on TLS/SSL every year. Ever since the compres- sion side-channel attacks CRIME and BREACH were presented during security conferences in 2012 and 2013, online users connecting to HTTP servers that run TLS version 1.2 are susceptible of being impersonated. We set up three Randomized Lempel-Ziv Models, which are built on Lempel-Ziv77, to confront this attack. Our three models change the determin- istic characteristic of the compression algorithm: each compression with the same input gives output of different lengths. We implemented SSL/TLS protocol and the Lempel- Ziv77 compression algorithm, and used them as a base for our simulations of compression side-channel attack. After performing the simulations, all three models successfully pre- vented the attack. However, we demonstrate that our randomized models can still be broken by a stronger version of compression side-channel attack that we created. But this latter attack has a greater time complexity and is easily detectable. Finally, from the results, we conclude that our models couldn't compress as well as Lempel-Ziv77, but they can be used against compression side-channel attacks.
  • Deep Packet Inspection Bypass

    Deep Packet Inspection Bypass

    Deep Packet Inspection Bypass Thomas Kjøglum Master of Science in Communication Technology Submission date: February 2015 Supervisor: Stig Frode Mjølsnes, ITEM Norwegian University of Science and Technology Department of Telematics 1 Title: Deep Packet Inspection Bypass Student: Thomas Kjøglum Problem description: Authoritarian governments consistently request the network operators to censor internet communications. Deep packet inspection systems and tools are regularly in use for this purpose. Several techniques have been proposed to bypass these communication restrictions. One example is the Kickstarter project titled "Operator, a News Reader that Circumvents Internet Censorship" by Brandon Wiley. Wiley has designed a protocol "Dust" [1] that aims to defeat a number of filtering methods currently in active use to censor Internet communication. Some basic questions are: How is it possible to bypass deep packet inspection filters with high likelihood? On the other hand, could the approach of Dust and other filtering bypass techniques be useful for masquerading malicious code? The candidate will start out by investigating possible techniques for bypassing a open source packet inspection tool, such as SNORT. The candidate will support his experimentation by method of setting up and running hacker competitions (or trials) where the participants’ challenge will be to set up, configure and run efficient deep packet inspection systems directed against various types of "subversive communications" generated by the organizer of the competition. [1] WILEY, Brandon. Dust: A blocking-resistant internet transport protocol. Tech- nical report. http://blanu.net/Dust.pdf, 2011. Responsible professor: Stig Frode Mjølsnes, ITEM Supervisor: Stig Frode Mjølsnes, ITEM Abstract Internet censorship is a problem, where governments and authorities restricts access to what the public can read on the Internet.
  • Deep Packet Inspection and Internet Censorship: International Convergence on an ‘Integrated Technology of Control’1

    Deep Packet Inspection and Internet Censorship: International Convergence on an ‘Integrated Technology of Control’1

    Deep Packet Inspection and Internet Censorship: International Convergence on an ‘Integrated Technology of Control’1 Ben Wagner, Ludwig-Maximilians-Universität München and Universiteit Leiden Introduction* The academic debate on deep packet inspection (DPI) centres on methods of network management and copyright protection and is directly linked to a wider debate on freedom of speech on the Internet. The debate is deeply rooted in an Anglo-Saxon perspective of the Internet and is frequently depicted as a titanic struggle for the right to fundamentally free and unfettered access to the Internet.2 This debate is to a great extent defined by commercial interests. These interests whether of copyright owners, Internet service providers, 1 (Bendrath 2009) * A first draft of this paper was presented at the 3rd Annual Giganet Symposium in December 2008 in Hyderabad, India. For their advice and support preparing this paper I would like to thank: Ralf Bendrath, Claus Wimmer, Geert Lovink, Manuel Kripp, Hermann Thoene, Paul Sterzel, David Herzog, Rainer Hülsse, Wolfgang Fänderl and Stefan Scholz. 2 (Frieden 2008, 633-676; Goodin 2008; Lehr et al. 2007; Mueller 2007, 18; Zittrain 2008) Deep Packet Inspection and Internet Censorship: International Convergence on an ‘Integrated Technology of Control’1, by Ben Wagner application developers or consumers, are all essentially economic. All of these groups have little commercial interest in restricting free speech as such. However some might well be prepared to accept a certain amount of ‘collateral damage’ to internet free speech in exchange for higher revenues. It can be argued that more transparent and open practices from network service providers are needed regarding filtering policy and the technology used.
  • ISA09 Paper Ralf Bendrath DPI

    ISA09 Paper Ralf Bendrath DPI

    Ralf Bendrath Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection Paper prepared for the International Studies Annual Convention New York City, 15-18 February 2009 first draft Updated versions will be available from the author upon request. author contact information Delft University of Technology Faculty of Technology, Policy, and Management Section ICT P.O. Box 5015 2600 GA Delft Netherlands [email protected] http://bendrath.blogspot.com Abstract Technological advances in routers and network monitoring equipment now allow internet service providers (ISPs) to monitor the content of data flows in real-time and make decisions accordingly about how to handle them. If rolled out widely, this technology known as deep packet inspection (DPI) would turn the internet into something completely new, departing from the “dumb pipe” principle which Lawrence Lessig has so nicely compared to a “daydreaming postal worker” who just moves packets around without caring about their content. The internet’s design, we can see here, is the outcome of political and technological decisions and trends. The paper examines the deployment of DPI by internet service providers in different countries, as well as their different motives. In a second step, it will offer a first explanation of the varying cases by examining the different factors promoting as well as constraining the use of DPI, and how they play out in different circumstances. The paper uses and combines theoretical approaches from different strands of research: Sociology of technology, especially the concept of disruptive technologies; and interaction-oriented policy research, namely the approach of actor-centric institutionalism.