NOTE: While DeepSeek can be useful it is a prohibited tool by many companies and government entities. Policy and technical systems must be in place to prevent usage, and it is vital to confirm this via test using BreakingPoint. These tests help validate the security measures and help organizations prevent accidental or malicious use of the platform.
DeepSeek is an open-source, decentralized search engine that offers a range of customizable search tools within one platform. It delivers search results for various types of content such as text, pictures and more. Users can customize their search experience through community contributions as well as open systems.
Network Traffic Analysis
The ATI team in Keysight has analyzed the network traffic of DeepSeek and found some interesting insights, which can be helpful for other researchers, optimize performance and ensure secure usage. This was done utilzing a HAR captures of a web session. DeepSeek operates with standard web protocols, relying on secure TLS encryption for communication.
Overall Analysis
We have performed extensive user interactions with the DeepSeek web application. The captured traffic was completely TLS encrypted. We have further analyzed the traffic based on host names.
In the figure above we can observe the maximum number of request-response was seen by chat.deepseek.com followed by apmplus.ap-southeast-1.volces.com. The first host has been observed as main host supporting most of the functional activities (ex: Login, Policy Checking, loading post contents etc.) while the latter is mainly serving static artifacts.
Figure 2: Cumulative payload per host
The diagram above shows that the host chat.deepseek.com has the maximum cumulative payload followed by fonts.gstatic.com (hostname for serving web fonts). The rest of the hosts are creating smaller network footprints.
Analyzing Endpoints
By examining the HAR file, we gain a detailed view of the HTTP requests and responses between the client and DeepSeek’s servers. This analysis focuses on critical endpoints and their roles in the platform’s functionality.
Session Creation
- Method: POST
- Purpose: Initiates a new chat session for the user.
- Request Headers:
- Content-Type: application/json
- Authorization: Bearer <token> (Use of bearer tokens in API requests ensures that only authorized users can access specific endpoints.)
- Origin: https://chat.deepseek.com (Ensures requests come from DeepSeek)
- Request Payload: JSON object containing user credentials or session parameters.
- Response Status: 200 OK (successful session creation)
This interaction is fundamental, as it establishes a session context for subsequent user activities on the platform.
Query Execution
- Method: POST
- Purpose: Processes user queries and returns AI-generated responses.
- Request Headers:
- Content-Type: application/json
- Sec-Fetch-Mode: cors (Ensures proper cross-origin security)
- Authorization: Bearer <token> (Use of bearer tokens in API requests ensures that only authorized users can access specific endpoints.)
- Request Payload: JSON object with the user’s query and session details.
- Response Status: 200 OK (successful query processing)
This endpoint is central to DeepSeek’s functionality, enabling dynamic interactions between users and the AI model.
Proof-of-Work Challenge
- Method: POST
- Purpose: Generates a proof-of-work challenge, likely as a measure against automated abuse.
- Request Headers:
- Content-Type: application/json
- Request Payload: JSON object requesting a new challenge.
- Response Status: 200 OK (challenge successfully created)
Implementing proof-of-work mechanisms helps maintain the integrity and availability of the service by deterring malicious activities.
DeepSeek Traffic Simulation in Keysight ATI
At Keysight Technologies Application and Threat Intelligence (ATI), since we always try to deliver the hot trending application, we have published the network traffic related to DeepSeek application and released simulation strategies in ATI-2025-02 StrikePack release.
We have also published another version of DeepSeek in ATI-2025-03 StrikePack which simulates the HAR collected from the DeepSeek web application as of February 2025 including different user actions like performing text-based queries, uploading multimedia files, refining search results, managing saved searches. Here all the HTTP transactions are replayed in HTTP/2 over TLS1.3.
The DeepSeek application and its 5 new Superflows as shown below:
Leverage Subscription Service to Stay Ahead of Attacks
Keysight’s Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control’s ability to detect or block such attacks.