Portcullis: Protecting connection setup from denial-of-capability attacks

Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih Chun Hu

Research output: Contribution to journalArticlepeer-review

Abstract

Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.

Original languageEnglish (US)
Pages (from-to)289-300
Number of pages12
JournalComputer Communication Review
Volume37
Issue number4
DOIs
StatePublished - Oct 2007

Keywords

  • Network capability
  • Per-computation fairness

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Portcullis: Protecting connection setup from denial-of-capability attacks'. Together they form a unique fingerprint.

Cite this