Portcullis: Protecting connection setup from denial-of-capability attacks

Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih Chun Hu

Research output: Contribution to journalArticle

Abstract

Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.

Original languageEnglish (US)
Pages (from-to)289-300
Number of pages12
JournalComputer Communication Review
Volume37
Issue number4
DOIs
StatePublished - Oct 1 2007

Fingerprint

Telecommunication links
Topology
Bandwidth
Denial-of-service attack

Keywords

  • Network capability
  • Per-computation fairness

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Portcullis : Protecting connection setup from denial-of-capability attacks. / Parno, Bryan; Wendlandt, Dan; Shi, Elaine; Perrig, Adrian; Maggs, Bruce; Hu, Yih Chun.

In: Computer Communication Review, Vol. 37, No. 4, 01.10.2007, p. 289-300.

Research output: Contribution to journalArticle

Parno, Bryan ; Wendlandt, Dan ; Shi, Elaine ; Perrig, Adrian ; Maggs, Bruce ; Hu, Yih Chun. / Portcullis : Protecting connection setup from denial-of-capability attacks. In: Computer Communication Review. 2007 ; Vol. 37, No. 4. pp. 289-300.
@article{67af46152e8b49eeb75fdf62f38ea788,
title = "Portcullis: Protecting connection setup from denial-of-capability attacks",
abstract = "Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.",
keywords = "Network capability, Per-computation fairness",
author = "Bryan Parno and Dan Wendlandt and Elaine Shi and Adrian Perrig and Bruce Maggs and Hu, {Yih Chun}",
year = "2007",
month = "10",
day = "1",
doi = "10.1145/1282427.1282413",
language = "English (US)",
volume = "37",
pages = "289--300",
journal = "Computer Communication Review",
issn = "0146-4833",
publisher = "Association for Computing Machinery (ACM)",
number = "4",

}

TY - JOUR

T1 - Portcullis

T2 - Protecting connection setup from denial-of-capability attacks

AU - Parno, Bryan

AU - Wendlandt, Dan

AU - Shi, Elaine

AU - Perrig, Adrian

AU - Maggs, Bruce

AU - Hu, Yih Chun

PY - 2007/10/1

Y1 - 2007/10/1

N2 - Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.

AB - Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.

KW - Network capability

KW - Per-computation fairness

UR - http://www.scopus.com/inward/record.url?scp=84876255635&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84876255635&partnerID=8YFLogxK

U2 - 10.1145/1282427.1282413

DO - 10.1145/1282427.1282413

M3 - Article

AN - SCOPUS:84876255635

VL - 37

SP - 289

EP - 300

JO - Computer Communication Review

JF - Computer Communication Review

SN - 0146-4833

IS - 4

ER -