Portcullis: protecting connection setup from denial-of-capability attacks

Authors:
Bryan Parno;Dan Wendlandt;Elaine Shi;Adrian Perrig;Bruce Maggs;Yih-Chun Hu
Affiliations:
Carnegie Mellon University, Pittsburgh, PA;Carnegie Mellon University, Pittsburgh, PA;Carnegie Mellon University, Pittsburgh, PA;Carnegie Mellon University, Pittsburgh, PA;Carnegie Mellon University & Akamai Technologies, Pittsburgh, PA;University of Illinois at Urbana-Champaign, Urbana, IL
Venue:
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Year:
2007

Citing 13
Cited 35

DNS performance and the effectiveness of caching

IEEE/ACM Transactions on Networking (TON)
Pricing via Processing or Combatting Junk Mail

CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Defending Against Denial-of-Service Attacks with Puzzle Auctions

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Pi: A Path Identification Mechanism to Defend against DDoS Attacks

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Taming IP packet flooding attacks

ACM SIGCOMM Computer Communication Review
Availability, usage, and deployment characteristics of the domain name system

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
New client puzzle outsourcing techniques for DoS resistance

Proceedings of the 11th ACM conference on Computer and communications security
Mitigating bandwidth-exhaustion attacks using congestion puzzles

Proceedings of the 11th ACM conference on Computer and communications security
A DoS-limiting network architecture

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
DDoS defense by offense

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Using client puzzles to protect TLS

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
ConfiDNS: leveraging scale and history to improve DNS security

WORLDS'06 Proceedings of the 3rd conference on USENIX Workshop on Real, Large Distributed Systems - Volume 3
Guaranteeing access in spite of distributed service-flooding attacks

Proceedings of the 11th international conference on Security Protocols

SNAPP: stateless network-authenticated path pinning

Proceedings of the 2008 ACM symposium on Information, computer and communications security
Phalanx: withstanding multimillion-node botnets

NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
To filter or to authorize: network-layer DoS defense against multimillion-node botnets

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Remote profiling of resource constraints of web servers using mini-flash crowds

ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Not-a-Bot: improving service availability in the face of botnet attacks

NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
An auto-responsive honeypot architecture for dynamic resource allocation and QoS adaptation in DDoS attacked networks

Computer Communications
A2M: Access-Assured Mobile Desktop Computing

ISC '09 Proceedings of the 12th International Conference on Information Security
Scalable network-layer defense against internet bandwidth-flooding attacks

IEEE/ACM Transactions on Networking (TON)
TrueIP: prevention of IP spoofing attacks using identity-based cryptography

Proceedings of the 2nd international conference on Security of information and networks
Systems-compatible incentives

GameNets'09 Proceedings of the First ICST international conference on Game Theory for Networks
Proactive surge protection: a defense mechanism for bandwidth-based attacks

IEEE/ACM Transactions on Networking (TON)
DDoS defense by offense

ACM Transactions on Computer Systems (TOCS)
Mitigating denial of capability attacks using sink tree based quota allocation

Proceedings of the 2010 ACM Symposium on Applied Computing
Secure unified cellular ad hoc network routing

GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
The Coremelt attack

ESORICS'09 Proceedings of the 14th European conference on Research in computer security
A novel DDOS attack defending framework with minimized bilateral damages

CCNC'10 Proceedings of the 7th IEEE conference on Consumer communications and networking conference
NetFence: preventing internet denial of service from inside out

Proceedings of the ACM SIGCOMM 2010 conference
Design of a secure packet processor

Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
OverCourt: DDoS mitigation through credit-based traffic segregation and path migration

Computer Communications
Building extensible networks with rule-based forwarding

OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Reconstructing hash reversal based proof of work schemes

LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
CluB: a cluster based framework for mitigating distributed denial of service attacks

Proceedings of the 2011 ACM Symposium on Applied Computing
Architecting for innovation

ACM SIGCOMM Computer Communication Review
Efficient defence against misbehaving TCP receiver DoS attacks

Computer Networks: The International Journal of Computer and Telecommunications Networking
Tor instead of IP

Proceedings of the 10th ACM Workshop on Hot Topics in Networks
Trust extension as a mechanism for secure code execution on commodity computers

Trust extension as a mechanism for secure code execution on commodity computers
Winnowing: Protecting P2P systems against pollution through cooperative index filtering

Journal of Network and Computer Applications
On building inexpensive network capabilities

ACM SIGCOMM Computer Communication Review
Reliable client accounting for P2P-infrastructure hybrids

NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
SybilControl: practical sybil defense with computational puzzles

Proceedings of the seventh ACM workshop on Scalable trusted computing
STRIDE: sanctuary trail -- refuge from internet DDoS entrapment

Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Collaborative approach to mitigating ARP poisoning-based Man-in-the-Middle attacks

Computer Networks: The International Journal of Computer and Telecommunications Networking
High-performance capabilities for 1-hop containment of network attacks

IEEE/ACM Transactions on Networking (TON)
Capability-Based Defenses Against DoS Attacks in Multi-path MANET Communications

Wireless Personal Communications: An International Journal
Spread Identity: A new dynamic address remapping mechanism for anonymity and DDoS defense

Journal of Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internet-scale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.