Portcullis: Protecting Connection Setup From Denial-of-Capability Attacks

Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. The authors prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on the guarantee.