Portcullis: Protecting connection setup from denial-of-capability attacks

Published

Journal Article

Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness. Copyright 2007 ACM.

Full Text

Duke Authors

Cited Authors

  • Parno, B; Wendlandt, D; Shi, E; Perrig, A; Maggs, B; Hu, YC

Published Date

  • October 1, 2007

Published In

Volume / Issue

  • 37 / 4

Start / End Page

  • 289 - 300

Electronic International Standard Serial Number (EISSN)

  • 1943-5819

International Standard Serial Number (ISSN)

  • 0146-4833

Digital Object Identifier (DOI)

  • 10.1145/1282427.1282413

Citation Source

  • Scopus