Team for Research in
Ubiquitous Secure Technology

Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks
Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun Hu

Citation
Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun Hu. "Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks". Proceedings of ACM SIGCOMM, August, 2007.

Abstract
Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker’s resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.

Electronic downloads

Citation formats  
  • HTML
    Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce
    Maggs, Yih-Chun Hu. <a
    href="http://www.truststc.org/pubs/287.html"
    >Portcullis: Protecting Connection Setup from
    Denial-of-Capability Attacks</a>, Proceedings of ACM
    SIGCOMM, August, 2007.
  • Plain text
    Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce
    Maggs, Yih-Chun Hu. "Portcullis: Protecting Connection
    Setup from Denial-of-Capability Attacks". Proceedings
    of ACM SIGCOMM, August, 2007.
  • BibTeX
    @inproceedings{ParnoWendlandtShiPerrigMaggsHu07_PortcullisProtectingConnectionSetupFromDenialofCapability,
        author = {Bryan Parno and Dan Wendlandt and Elaine Shi and
                  Adrian Perrig and Bruce Maggs and Yih-Chun Hu},
        title = {Portcullis: Protecting Connection Setup from
                  Denial-of-Capability Attacks},
        booktitle = {Proceedings of ACM SIGCOMM},
        month = {August},
        year = {2007},
        abstract = {Systems using capabilities to provide preferential
                  service to selected flows have been proposed as a
                  defense against large-scale network
                  denial-of-service attacks. While these systems
                  offer strong protection for established network
                  flows, the Denial-of-Capability (DoC) attack,
                  which prevents new capability-setup packets from
                  reaching the destination, limits the value of
                  these systems. Portcullis mitigates DoC attacks by
                  allocating scarce link bandwidth for connection
                  establishment packets based on per-computation
                  fairness. We prove that a legitimate sender can
                  establish a capability with high probability
                  regardless of an attacker’s resources or
                  strategy and that no system can improve on our
                  guarantee. We simulate full and partial
                  deployments of Portcullis on an Internetscale
                  topology to confirm our theoretical results and
                  demonstrate the substantial benefits of using
                  per-computation fairness.},
        URL = {http://www.truststc.org/pubs/287.html}
    }
    

Posted by Adrian Perrig on 10 Sep 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.