Scholars@Duke

Portcullis: Protecting connection setup from denial-of-capability attacks

Publication ,  Journal Article
Parno, B; Wendlandt, D; Shi, E; Perrig, A; Maggs, B; Hu, YC
Published in: Computer Communication Review
October 1, 2007
Published version (DOI)

Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness. Copyright 2007 ACM.

Duke Scholars

Bruce Maggs
Author Bruce Maggs Computer Science

Published In

Computer Communication Review

DOI

10.1145/1282427.1282413

EISSN

1943-5819

ISSN

0146-4833

Publication Date

October 1, 2007

Volume

37

Issue

4

Start / End Page

289 / 300

Related Subject Headings

  • Networking & Telecommunications
  • 4606 Distributed computing and systems software
  • 4006 Communications engineering
  • 1005 Communications Technologies
  • 0805 Distributed Computing
  • 0803 Computer Software
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., & Hu, Y. C. (2007). Portcullis: Protecting connection setup from denial-of-capability attacks. Computer Communication Review, 37(4), 289–300. https://doi.org/10.1145/1282427.1282413
Parno, B., D. Wendlandt, E. Shi, A. Perrig, B. Maggs, and Y. C. Hu. “Portcullis: Protecting connection setup from denial-of-capability attacks.” Computer Communication Review 37, no. 4 (October 1, 2007): 289–300. https://doi.org/10.1145/1282427.1282413.
Parno B, Wendlandt D, Shi E, Perrig A, Maggs B, Hu YC. Portcullis: Protecting connection setup from denial-of-capability attacks. Computer Communication Review. 2007 Oct 1;37(4):289–300.
Parno, B., et al. “Portcullis: Protecting connection setup from denial-of-capability attacks.” Computer Communication Review, vol. 37, no. 4, Oct. 2007, pp. 289–300. Scopus, doi:10.1145/1282427.1282413.
Parno B, Wendlandt D, Shi E, Perrig A, Maggs B, Hu YC. Portcullis: Protecting connection setup from denial-of-capability attacks. Computer Communication Review. 2007 Oct 1;37(4):289–300.

Published In

Computer Communication Review

DOI

10.1145/1282427.1282413

EISSN

1943-5819

ISSN

0146-4833

Publication Date

October 1, 2007

Volume

37

Issue

4

Start / End Page

289 / 300

Related Subject Headings

  • Networking & Telecommunications
  • 4606 Distributed computing and systems software
  • 4006 Communications engineering
  • 1005 Communications Technologies
  • 0805 Distributed Computing
  • 0803 Computer Software