An analysis of using reflectors for distributed denial-of-service attacks
ACM SIGCOMM Computer Communication Review
Internet indirection infrastructure
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Firewalls and Internet Security: Repelling the Wily Hacker
Firewalls and Internet Security: Repelling the Wily Hacker
A framework for classifying denial of service attacks
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Analysis of a Denial of Service Attack on TCP
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Computer Communication Review
Resisting SYN flood DoS attacks with a SYN cache
BSDC'02 Proceedings of the BSD Conference 2002 on BSD Conference
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Proceedings of the 4th annual conference on Information security curriculum development
Hi-index | 0.00 |
Network firewalls have played a crucial role in reducing unwanted traffic by blocking unsolicited incoming data. However, for many new environments, (such as in peer-to-peer networks and certain new scenarios where wireless terminals act as servers) not all unsolicited data can be blocked. In wireline networks, this problem can partially be solved by opening dedicated pinholes in the network firewalls to allow unsolicited packets to pass. In cellular and wireless networks, however, opening dedicated pinholes can lead to new forms of denial of service (DoS) attacks that are not seen in wireline networks. For example, an attacker can send undesired data through the pinhole and consume the costly radio resources for which the mobile user will have to pay. By flooding the victim with undesired traffic, the attacker can also drain the battery power of the mobile device. Therefore, in these cases, firewalls can neither simply block all unsolicited traffic nor simply open dedicated pin-holes. In this paper, we describe a mechanism by which a firewall can allow unsolicited TCP traffic to reach a mobile device and yet protect the mobile from the DoS attacks described above. Our approach is transparent to the end hosts and does not require any modification to TCP. Finally, this scheme requires very minimal changes to existing firewalls.