Often residential networks operate some DPI devices either on LAN or WAN. Is there any way to fingerprint the DPI device(s) from the responses, headers or some other behavior on the network?
Which are some easy tests to do that do not require extra software but rather curl or other *NIX commands?
Also any available tools that can be used to fingerprint DPIs will be as well very useful.
Some web filter companies have category “test pages” that are guaranteed to be blocked, if the filter is configured to block that particular category. I don’t know of a full list, but here are a few:
If the first one is blocked but the others are not, then you know it is a Sophos device. (Note the Netsweeper one isn’t working for me currently.)
There are certain network fingerprints you can look for, but I don’t know of a centralized list of these. For example, nsphostname= in a block page URL means Netsweeper. In 2016 I wrote some regexes for patterns that were then common in OONI web measurements. You can find them in the file ooni-tor-blocks/classify.py from https://archive.org/details/ndss16doyousee or git clone https://www.bamsoftware.com/git/ooni-tor-blocks.git. Some examples:
if re.match("^http://.*/webadmin/deny/", get_header(response, "Location", "")):
return True, "302-NETSWEEPER"
if re.search("<meta name=\"author\" content=\"Blue Coat systems\">\n<meta name=\"description\" content=\"Denied Access Policy\">\n", body):
return True, "403-BLUECOAT"
if re.search("<li>McAfee Global Threat Intelligence has determined</li>", body):
return True, "403-MCAFEE"
The header field manipulation tests are harder because they rely on having a cooperating server that can check the request and see if it has been modified from what the client sends. If you could find a server that tells you what headers it received, you could use that. http://wtfismyip.com/headers almost works, except that it canonicalizes case in the header names. It could work for detecting some kinds of manipulation.