Team for Research in
Ubiquitous Secure Technology

Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks
Adrian Perrig

Citation
Adrian Perrig. "Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks". Talk or presentation, 11, October, 2007.

Abstract
Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems.rnrnPortcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internet-scale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.

Electronic downloads


Internal. This publication has been marked by the author for TRUST-only distribution, so electronic downloads are not available without logging in.
Citation formats  
  • HTML
    Adrian Perrig. <a
    href="http://www.truststc.org/pubs/304.html"
    ><i>Portcullis: Protecting Connection Setup
    fromDenial-of-Capability Attacks</i></a>, Talk
    or presentation,  11, October, 2007.
  • Plain text
    Adrian Perrig. "Portcullis: Protecting Connection Setup
    fromDenial-of-Capability Attacks". Talk or
    presentation,  11, October, 2007.
  • BibTeX
    @presentation{Perrig07_PortcullisProtectingConnectionSetupFromDenialofCapability,
        author = {Adrian Perrig},
        title = {Portcullis: Protecting Connection Setup
                  fromDenial-of-Capability Attacks},
        day = {11},
        month = {October},
        year = {2007},
        abstract = {Systems using capabilities to provide preferential
                  service to selected flows have been proposed as a
                  defense against large-scale network
                  denial-of-service attacks. While these systems
                  offer strong protection for established network
                  flows, the Denial-of-Capability (DoC) attack,
                  which prevents new capability-setup packets from
                  reaching the destination, limits the value of
                  these systems.rnrnPortcullis mitigates DoC attacks
                  by allocating scarce link bandwidth for connection
                  establishment packets based on per-computation
                  fairness. We prove that a legitimate sender can
                  establish a capability with high probability
                  regardless of an attacker's resources or strategy
                  and that no system can improve on our guarantee.
                  We simulate full and partial deployments of
                  Portcullis on an Internet-scale topology to
                  confirm our theoretical results and demonstrate
                  the substantial benefits of using per-computation
                  fairness.},
        URL = {http://www.truststc.org/pubs/304.html}
    }
    

Posted by Larry Rohrbough on 16 Oct 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.