A punching scheme for crossing NAT in end hopping

End hopping is one of the good methods to defend against network attack, but has problems with network address translation (NAT) because packets sent from an unknown endpoint would be dropped by NAT. To avoid the dropping of packets, we propose a punching scheme: a client sends a punching packet to create mapping rules in NAT, so that the packets from the server would be able to pass through effectively with such rules. In this paper, some preliminaries and definitions are provided for building the model of end hopping. Then we discuss the main reason of such packet dropping and specify all the failure situations based on the model. What??s more, we analyze how the punching scheme helps end hopping cross NAT. Finally, we validate the feasibility of this scheme with empirical results: if the client is behind a NAT and with punching scheme, the service rate increases to 100%. Therefore, our proposed scheme can greatly improve the performance of crossing NAT in end hopping with little security and computational overhead.