Portcullis: Protecting connection setup from denial-of-capability attacks


Journal Article

Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internet-scale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness. Copyright 2007 ACM.

Full Text

Duke Authors

Cited Authors

  • Parno, B; Wendlandt, D; Shi, E; Perrig, A; Maggs, B; Hu, YC

Published Date

  • December 17, 2007

Published In

  • Acm Sigcomm 2007: Conference on Computer Communications

Start / End Page

  • 289 - 300

Digital Object Identifier (DOI)

  • 10.1145/1282380.1282413

Citation Source

  • Scopus