Protecting mobile devices from TCP flooding attacks

Authors:
Yogesh Prem Swami;Hannes Tschofenig
Affiliations:
Nokia Research Center, Palo Alto, California;Siemens Corporate Technology, Munich Bavaria, Germany
Venue:
Proceedings of first ACM/IEEE international workshop on Mobility in the evolving internet architecture
Year:
2006

Citing 9
Cited 1

An analysis of using reflectors for distributed denial-of-service attacks

ACM SIGCOMM Computer Communication Review
Internet indirection infrastructure

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Firewalls and Internet Security: Repelling the Wily Hacker

Firewalls and Internet Security: Repelling the Wily Hacker
A framework for classifying denial of service attacks

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Analysis of a Denial of Service Attack on TCP

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
A taxonomy of DDoS attack and DDoS defense mechanisms

ACM SIGCOMM Computer Communication Review
Resisting SYN flood DoS attacks with a SYN cache

BSDC'02 Proceedings of the BSD Conference 2002 on BSD Conference
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Puppetnets and botnets: information technology vulnerability exploits that threaten basic internet use

Proceedings of the 4th annual conference on Information security curriculum development

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network firewalls have played a crucial role in reducing unwanted traffic by blocking unsolicited incoming data. However, for many new environments, (such as in peer-to-peer networks and certain new scenarios where wireless terminals act as servers) not all unsolicited data can be blocked. In wireline networks, this problem can partially be solved by opening dedicated pinholes in the network firewalls to allow unsolicited packets to pass. In cellular and wireless networks, however, opening dedicated pinholes can lead to new forms of denial of service (DoS) attacks that are not seen in wireline networks. For example, an attacker can send undesired data through the pinhole and consume the costly radio resources for which the mobile user will have to pay. By flooding the victim with undesired traffic, the attacker can also drain the battery power of the mobile device. Therefore, in these cases, firewalls can neither simply block all unsolicited traffic nor simply open dedicated pin-holes. In this paper, we describe a mechanism by which a firewall can allow unsolicited TCP traffic to reach a mobile device and yet protect the mobile from the DoS attacks described above. Our approach is transparent to the end hosts and does not require any modification to TCP. Finally, this scheme requires very minimal changes to existing firewalls.