Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun Hu
Citation
Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun Hu. "Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks". Proceedings of ACM SIGCOMM, August, 2007.
Abstract
Systems using capabilities to provide preferential service to selected
flows have been proposed as a defense against large-scale
network denial-of-service attacks. While these systems offer strong
protection for established network flows, the Denial-of-Capability
(DoC) attack, which prevents new capability-setup packets from
reaching the destination, limits the value of these systems.
Portcullis mitigates DoC attacks by allocating scarce link bandwidth
for connection establishment packets based on per-computation
fairness. We prove that a legitimate sender can establish a capability
with high probability regardless of an attacker’s resources or
strategy and that no system can improve on our guarantee. We
simulate full and partial deployments of Portcullis on an Internetscale
topology to confirm our theoretical results and demonstrate
the substantial benefits of using per-computation fairness.
Electronic downloads
| Citation formats |
- HTML
Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun Hu. <a href="http://www.truststc.org/pubs/287.html" >Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks</a>, Proceedings of ACM SIGCOMM, August, 2007.
- Plain text
Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun Hu. "Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks". Proceedings of ACM SIGCOMM, August, 2007.
- BibTeX
@inproceedings{ParnoWendlandtShiPerrigMaggsHu07_PortcullisProtectingConnectionSetupFromDenialofCapability, author = {Bryan Parno and Dan Wendlandt and Elaine Shi and Adrian Perrig and Bruce Maggs and Yih-Chun Hu}, title = {Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks}, booktitle = {Proceedings of ACM SIGCOMM}, month = {August}, year = {2007}, abstract = {Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker’s resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.}, URL = {http://www.truststc.org/pubs/287.html} }
Posted by Adrian Perrig on 10 Sep 2007.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.