@inproceedings{bafb50f633254b7cb39212e98e5ab70c,
title = "Portcullis: Protecting connection setup from denial-of-capability attacks",
abstract = "Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internet-scale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.",
keywords = "Network capability, Per-computation fairness",
author = "Bryan Parno and Dan Wendlandt and Elaine Shi and Adrian Perrig and Bruce Maggs and Hu, {Yih Chun}",
note = "Copyright: Copyright 2011 Elsevier B.V., All rights reserved.; ACM SIGCOMM 2007: Conference on Computer Communications ; Conference date: 27-08-2007 Through 30-08-2007",
year = "2007",
doi = "10.1145/1282380.1282413",
language = "English (US)",
isbn = "1595937137",
series = "ACM SIGCOMM 2007: Conference on Computer Communications",
pages = "289--300",
booktitle = "ACM SIGCOMM 2007",
}