Scholars@Duke publication: Portcullis: Protecting connection setup from denial-of-capability attacks

Portcullis: Protecting connection setup from denial-of-capability attacks

Publication , Journal Article

Parno, B; Wendlandt, D; Shi, E; Perrig, A; Maggs, B; Hu, YC

Published in: ACM SIGCOMM 2007: Conference on Computer Communications

December 17, 2007

Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internet-scale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness. Copyright 2007 ACM.

Duke Scholars

Author Bruce Maggs Computer Science

Published In

ACM SIGCOMM 2007: Conference on Computer Communications

DOI

10.1145/1282380.1282413

Publication Date

December 17, 2007

Start / End Page

289 / 300

Related Subject Headings

Networking & Telecommunications
4606 Distributed computing and systems software
4006 Communications engineering
1005 Communications Technologies
0805 Distributed Computing
0803 Computer Software

Citation

APA

Chicago

ICMJE

MLA

NLM

Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., & Hu, Y. C. (2007). Portcullis: Protecting connection setup from denial-of-capability attacks. ACM SIGCOMM 2007: Conference on Computer Communications, 289–300. https://doi.org/10.1145/1282380.1282413

Parno, B., D. Wendlandt, E. Shi, A. Perrig, B. Maggs, and Y. C. Hu. “Portcullis: Protecting connection setup from denial-of-capability attacks.” ACM SIGCOMM 2007: Conference on Computer Communications, December 17, 2007, 289–300. https://doi.org/10.1145/1282380.1282413.

Parno B, Wendlandt D, Shi E, Perrig A, Maggs B, Hu YC. Portcullis: Protecting connection setup from denial-of-capability attacks. ACM SIGCOMM 2007: Conference on Computer Communications. 2007 Dec 17;289–300.

Parno, B., et al. “Portcullis: Protecting connection setup from denial-of-capability attacks.” ACM SIGCOMM 2007: Conference on Computer Communications, Dec. 2007, pp. 289–300. Scopus, doi:10.1145/1282380.1282413.

Published In

ACM SIGCOMM 2007: Conference on Computer Communications

DOI

10.1145/1282380.1282413

Publication Date

December 17, 2007

Start / End Page

289 / 300

Related Subject Headings

Networking & Telecommunications
4606 Distributed computing and systems software
4006 Communications engineering
1005 Communications Technologies
0805 Distributed Computing
0803 Computer Software