Commands
Search pubs database
Quick search by ...
|
Portcullis: Protecting Connection Setup from�Denial-of-Capability Attacks
Adrian Perrig
Citation
Adrian Perrig. "Portcullis: Protecting Connection Setup from�Denial-of-Capability Attacks". Talk or presentation, 11, October, 2007.
Abstract
Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems.rnrnPortcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internet-scale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness. Electronic downloads
Confidential. This publication has
been marked by the author for Trust-only distribution, so electronic
downloads are not available without logging in.
- HTML
Adrian Perrig. <a
href="http://www.truststc.org/pubs/304.html"><i>Portcullis:
Protecting Connection Setup from�Denial-of-Capability
Attacks</i></a>, Talk or presentation, 11,
October, 2007.
- Plain text
Adrian Perrig. "Portcullis: Protecting Connection Setup
from�Denial-of-Capability Attacks". Talk or presentation,
11, October, 2007.
- BibTeX
@presentation{Perrig07_PortcullisProtectingConnectionSetupFromDenialofCapability,
author = {Adrian Perrig},
title = {Portcullis: Protecting Connection Setup
from�Denial-of-Capability Attacks},
day = {11},
month = {October},
year = {2007},
abstract = {Systems using capabilities to provide preferential
service to selected flows have been proposed as a
defense against large-scale network
denial-of-service attacks. While these systems
offer strong protection for established network
flows, the Denial-of-Capability (DoC) attack,
which prevents new capability-setup packets from
reaching the destination, limits the value of
these systems.rnrnPortcullis mitigates DoC attacks
by allocating scarce link bandwidth for connection
establishment packets based on per-computation
fairness. We prove that a legitimate sender can
establish a capability with high probability
regardless of an attacker's resources or strategy
and that no system can improve on our guarantee.
We simulate full and partial deployments of
Portcullis on an Internet-scale topology to
confirm our theoretical results and demonstrate
the substantial benefits of using per-computation
fairness.},
URL = {http://www.truststc.org/pubs/304.html}
}
Posted by Larry Rohrbough on 16 Oct 2007.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org..
Notice:
This material is presented to ensure timely dissemination of scholarly
and technical work. Copyright and all rights therein are retained by
authors or by other copyright holders. All persons copying this
information are expected to adhere to the terms and constraints
invoked by each author's copyright.
|
