DPI (Deep Packet Inspection) is a technology that allows you to collect statistical information from packets, check them and filter information, depending on the contents of the packet. Sometimes operators use this technology to filter entire protocols such as BitTorrent.
There are two types of DPI: passive and active. The only difference is that the active one can block the packet and prevent it from reaching the addressee, while the passive one can only send a fake packet with a redirect or connection reset. The workarounds for both are similar.
DPI bypass techniques
Packet analysis systems are designed to handle traffic as fast as possible, examining only the most common requests and letting out non-typical requests even if they are fully compliant with the standard.
HTTP
A typical HTTP request (this is sent by all known browsers) looks like this:
GET /index.php HTTP / 1.1
Host: wikipedia.org
User-Agent: Mozilla / 5.0 (X11; U; Linux i686; ru; rv: 1.9b5) Gecko / 2008050509 Firefox / 3.0b5
Accept: text / html
Connection: keep-alive
All headers start with a capital letter, followed by a colon, then one space, the header value, and the end of the line as CRLF (\ r \ n).
Let's take a look at RFC 7230:
Each header field consists of a case-insensitive field name followed
by a colon (":"), optional leading whitespace, the field value, and
optional trailing whitespace.
According to it, headers are not case sensitive, and there can be any number of spaces after the colon. This means that you can break DPI by changing "Host:" to "hOsT:". Most servers will accept the packet even if you replace the end-of-line character from CRLF (\ r \ n) with LF (\ n).
HTTPS
In the case of HTTPS, DPI looks for an unencrypted SNI field that contains the site's address. It would be possible to change the SNI field, but this would have to modify the system libraries, so packet fragmentation is used to bypass HTTPS blocking, which, by the way, can be used for HTTP as well. The bottom line is that almost all DPIs can work only with individual packets, but they cannot read the entire connection, so it is enough to send a request to the site in the form of several TCP packets.
DNS
All the previous methods are useless if the site address was incorrectly determined at the level of the DNS server. The fact is that many operators redirect all DNS requests to their server and if the site is blocked, they send an incorrect response. It is solved by using the DNS over HTTPS protocol.
How to trick and bypass DPI
For Windows and Linux, there are already solutions like GoodbyeDPI and GreenTunnel, but until recently there was nothing like that for android, only recently DPITunnel appeared.
This thing works as a local HTTP proxy , to which all system traffic is directed and modified using the above methods. If they do not work, then there is support for socks5 proxy , which is used only for blocked sites and does not slow down the rest.
How to use DPITunnel
If there is root, then in the program settings select "Install DPITunnel proxy globally" and press the button on the main screen, if there is no root, then press the button on the main screen and set the proxy manually in the WiFi or APN settings. Proxy address: 127.0.0.1, the port is the one specified in the program settings.
Known bugs
Among the bugs, one can single out the fact that sometimes, if the background service was killed by the system and it could not complete normally, then when the service is restarted, it crashes after a few seconds. It is solved by choosing a different port in the program settings.
