Portcullis: Protecting connection setup from denial-of-capability attacks

Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih Chun Hu

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internet-scale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.

Original languageEnglish (US)
Title of host publicationACM SIGCOMM 2007
Subtitle of host publicationConference on Computer Communications
Number of pages12
StatePublished - 2007
Externally publishedYes
EventACM SIGCOMM 2007: Conference on Computer Communications - Kyoto, Japan
Duration: Aug 27 2007Aug 30 2007

Publication series

NameACM SIGCOMM 2007: Conference on Computer Communications


OtherACM SIGCOMM 2007: Conference on Computer Communications


  • Network capability
  • Per-computation fairness

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture
  • Software

Fingerprint Dive into the research topics of 'Portcullis: Protecting connection setup from denial-of-capability attacks'. Together they form a unique fingerprint.

Cite this