What is DPI: How ISPs block the internet
When Telegram is blocked in a country, users usually notice it suddenly: the app was working, and then it stopped. Behind this "suddenly" stands a specific technology used by internet service providers worldwide — Deep Packet Inspection, or DPI. Understanding how it works means understanding why MTProxy deals with it so effectively.
A bit about architecture: OSI layers
To explain DPI, we need to recall the OSI model — a seven-layer framework describing how data is transmitted over a network.
Standard firewalls operate at layers 3–4: they look at IP addresses and ports to decide whether to allow or block a packet. This is crude and fast, but easy to circumvent — just change the IP or port.
DPI works differently. It acts as an X-ray for packets, analyzing traffic all the way up to layer 7 — the content of the application itself. It doesn’t just look at where the packet is going, but what is inside it.
How DPI analyzes traffic
DPI uses several analysis methods that can be applied simultaneously.
Signature analysis
Every protocol leaves characteristic "fingerprints"—signatures—in the data stream. For example:
- A TLS connection always begins with a
ClientHellomessage of a specific structure. - An SSH session opens with the string
SSH-2.0-... - Older versions of MTProto had a specific pattern in the first bytes of the handshake.
When DPI detects a known signature, it can immediately make a decision: allow, block, or queue for deeper analysis.
Heuristic analysis
Sometimes signatures are missing or encrypted. That's when heuristics come into play — a set of rules like "if X, then it's probably Y." For example:
- A connection active at night with regular intervals → looks like a VPN keepalive.
- Packets of identical size sent with a fixed delay → a streaming pattern.
Behavioral analysis
This is the most complex method. The system doesn't just analyze individual packets; it looks at the entire flow of the connection over time:
Behavioral analysis is especially dangerous because it works even against fully encrypted traffic. It doesn't matter what's written inside; what matters is how the data is transmitted.
Where is DPI equipment installed
In countries like Russia, Iran, and China, Deep Packet Inspection equipment is installed directly at Internet Exchange Points (IXP) and major ISPs. In Russia, this happens within the framework of the "sovereign internet" law (TSPU — technical means of countering threats).
Key features of modern DPI systems:
- Operate at line rate — analyzing billions of packets without delays.
- Support Stateful Inspection — remembering the connection context.
- Update signature databases centrally, often multiple times a day.
Why DPI can't just block all encrypted traffic
A logical question follows: if DPI cannot decrypt the traffic, why not just block all unknown traffic?
The answer is simple: 90%+ of internet traffic is encrypted. HTTPS, banking, cloud services, corporate VPNs — all of this is "unknown" encrypted traffic. Blocking everything unrecognized equals disconnecting from the modern internet.
This is exactly why Telegram and other services use mimicry — disguising their traffic as "allowed" protocols.
How MTProto bypasses DPI
Telegram developers were aware of the DPI problem from the very beginning. MTProto 2.0 was designed with several defense mechanisms:
Padding (adding garbage bytes) A random number of random bytes is added to each packet. The packet sizes become unpredictable — DPI cannot construct signatures based on size.
Obfuscation The structure of MTProto packets in obfuscated mode looks like a random stream of bytes. There are no explicit markers of connection initiation characteristic of a specific protocol.
Fake TLS Modern MTProxy servers wrap the connection in a simulated TLS handshake. To DPI, this looks like an ordinary HTTPS connection to a legitimate site.
For more details on how Fake TLS works, read our dedicated article.
What DPI sees when connecting via MTProxy with Fake TLS
From the perspective of a DPI system, this is just ordinary encrypted HTTPS traffic to a known domain. There is no reason to block it.
Limitations of MTProto protection
To be fair, MTProto is not a silver bullet.
- Statistical analysis: under prolonged observation of a connection, sophisticated systems can determine that the traffic is "too similar to TLS, but not actually TLS."
- IP blocks: blocking the IP of the proxy server itself is easier than analyzing the traffic — which is why rotating addresses is vital. At MTProxyHub, we automatically rotate nodes every 60 seconds.
- Active probing: some systems attempt to "reply" to a suspicious connection — if the server doesn't respond like real HTTPS, it gets blocked.
Learn more about the risks of public proxies and how IPv6 helps bypass mass blocks.
Technical details about the protocols can be found in the official documentation: MTProto at core.telegram.org and MTProxy description. The nature of DPI is detailed by Cloudflare on their blog.
FAQ
Can DPI read the contents of encrypted messages? No. DPI analyzes metadata and traffic patterns, but it cannot decrypt data protected by modern algorithms. Telegram additionally encrypts the contents of messages before sending them.
Why do ISPs not block all encrypted traffic? Because it would block HTTPS — all banking, online stores, social networks. The political and economic consequences are unacceptable.
Does changing DNS help against DPI? No. DPI operates directly at the packet level, not at DNS queries. Changing DNS helps bypass DNS blocking, but not DPI.
How does padding in MTProto help bypass DPI? MTProto adds a random number of "garbage" bytes to each packet, making the size unpredictable. DPI cannot build stable signatures based on packet sizes.
If you want to not just understand how this works, but also use a stable proxy right now — open the list of working MTProxies. All nodes are updated every 60 seconds.