Team for Research in
Ubiquitous Secure Technology

Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks
Adrian Perrig

Citation
Adrian Perrig. "Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks". Talk or presentation, 11, October, 2007.

Abstract
Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems.rnrnPortcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internet-scale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.

Electronic downloads


Internal. This publication has been marked by the author for TRUST-only distribution, so electronic downloads are not available without logging in.
Citation formats  
  • HTML 
    Adrian Perrig. <a
href="http://www.truststc.org/pubs/304.html"
><i>Portcullis: Protecting Connection Setup
fromDenial-of-Capability Attacks</i></a>, Talk
or presentation,  11, October, 2007.
  • Plain text 
    Adrian Perrig. "Portcullis: Protecting Connection Setup
fromDenial-of-Capability Attacks". Talk or
presentation,  11, October, 2007.
  • BibTeX 
    @presentation{Perrig07_PortcullisProtectingConnectionSetupFromDenialofCapability,
    author = {Adrian Perrig},
    title = {Portcullis: Protecting Connection Setup
              fromDenial-of-Capability Attacks},
    day = {11},
    month = {October},
    year = {2007},
    abstract = {Systems using capabilities to provide preferential
              service to selected flows have been proposed as a
              defense against large-scale network
              denial-of-service attacks. While these systems
              offer strong protection for established network
              flows, the Denial-of-Capability (DoC) attack,
              which prevents new capability-setup packets from
              reaching the destination, limits the value of
              these systems.rnrnPortcullis mitigates DoC attacks
              by allocating scarce link bandwidth for connection
              establishment packets based on per-computation
              fairness. We prove that a legitimate sender can
              establish a capability with high probability
              regardless of an attacker's resources or strategy
              and that no system can improve on our guarantee.
              We simulate full and partial deployments of
              Portcullis on an Internet-scale topology to
              confirm our theoretical results and demonstrate
              the substantial benefits of using per-computation
              fairness.},
    URL = {http://www.truststc.org/pubs/304.html}
}

Posted by Larry Rohrbough on 16 Oct 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.