Network firewalls have played a crucial role in reducing unwanted traffic by blocking unsolicited incoming data. However, for many new environments, (such as in peer-to-peer networks and certain new scenarios where wireless terminals act as servers) not all unsolicited data can be blocked. In wireline networks, this problem can partially be solved by opening dedicated pinholes in the network firewalls to allow unsolicited packets to pass. In cellular and wireless networks, however, opening dedicated pinholes can lead to new forms of denial of service (DoS) attacks that are not seen in wireline networks. For example, an attacker can send undesired data through the pinhole and consume the costly radio resources for which the mobile user will have to pay. By flooding the victim with undesired traffic, the attacker can also drain the battery power of the mobile device. Therefore, in these cases, firewalls can neither simply block all unsolicited traffic nor simply open dedicated pin-holes. In this paper, we describe a mechanism by which a firewall can allow unsolicited TCP traffic to reach a mobile device and yet protect the mobile from the DoS attacks described above. Our approach is transparent to the end hosts and does not require any modification to TCP. Finally, this scheme requires very minimal changes to existing firewalls.
展开▼
