I think we need to seperate the two issues, one being the volume of messages sent as a part of a DOS attack and the second being bogus messages from a device.
For your clients and depending on how technical you want to get, you can tell them that only registered devices, usually based on the IMEI, will be allowed to post messages into the application. So if an external party is simply sending messages to the server they would also need to know the ID of the device for the message to be processed.
However you would need to have other monitoring in place to alert for increased incomming traffic generated by a DOS attack. The firewall that you are using should be able to do this. Wialon is behind that device so it is not in my opinion a Wialon function. You would then have standard proceeders in place on how the data centre staff would react to this alert.
Mobile Visible Secure
Specialists in data acquisition and analysis for mobile and fixed assets. Integration in to content management systems is a specialty we have.