Content-centric networking (CCN) is one of candidates being spotlighted as the technologies of the future Internet to solve the problems of the current Internet. Since DoS/DDoS attack is the most serious threat to the current Internet, this letter introduces the possibility of DoS/DDoS attack on CCN for the first time. And we introduce an attack method using fake-request packets and propose countermeasures in order to detect and/or react to CCN DoS/DDoS attack, and then analyze the result of our proposal.

As a result of the rapid development of the Internet in recent years, network security has become an urgent issue. Distributed denial of service (DDoS) attacks are one of the most serious security issues. In particular, 60 percent of the DDoS attacks found on the Internet are TCP attacks, including SYN flood attacks. In this paper, we propose adaptive timer-based countermeasures against SYN flood attacks. Our proposal utilizes the concept of soft-state protocols that are widely used for resource management on the Internet. In order to avoid deadlock, a server releases resources using a time-out mechanism without any explicit requests from its clients. If we change the value of the timer in accordance with the network conditions, we can add more flexibility to the soft-state protocols. The timer is used to manage the resources assigned to half-open connections in a TCP 3-way handshake mechanism, and its value is determined adaptively according to the network conditions. In addition, we report our simulation results to show the effectiveness of our approach.

Denial of service (DoS) attacks have become one of the most serious threats to the Internet. Enabling detection of attacks in network traffic is an important and challenging task. However, most existing volume-based schemes can not detect short-term attacks that have a minor effect on traffic volume. On the other hand, feature-based schemes are not suitable for real-time detection because of their complicated calculations. In this paper, we develop an IP packet size entropy (IPSE)-based DoS/DDoS detection scheme in which the entropy is markedly changed when traffic is affected by an attack. Through our analysis, we find that the IPSE-based scheme is capable of detecting not only long-term attacks but also short-term attacks that are beyond the volume-based schemes' ability to detect. Moreover, we test our proposal using two typical Internet traffic data sets from DARPA and SINET, and the test results show that the IPSE-based detection scheme can provide detection of DoS/DDoS attacks not only in a local area network (DARPA) and but also in academic backbone network (SINET).

A remote user authentication scheme is a two-party protocol whereby an authentication server in a distributed system confirms the identity of a remote individual logging on to the server over an untrusted, open network. Recently, Lee et al. have proposed an efficient nonce-based scheme for remote user authentication using smart cards. This work reviews Lee et al.'s authentication scheme and provides a security analysis on the scheme. Our analysis shows that Lee et al.'s scheme does not achieve its basic aim of authenticating remote users and furthermore has a very hazardous method for changing passwords. In addition, we recommend some changes to the scheme so that it can attain at least its main security goal.

We investigate the effects of DoS (Denial of Service) attacks in wireless ad hoc networks using simulations, concentrating on the problem of energy availability. Our results show that the damages due to the DoS attack may quite different with those in wired networks: First, the nodes along the transmission route mostly suffer damages rather than the victim node itself. Second, if the mobile nodes are crowded and close together, the damage becomes more severe. Lastly, if the nodes have random mobility, the attacker itself consumes more energy.

Hash-based IP traceback is a technique to generate audit trails for traffic within a network. Using the audit trails, it reconstructs not only the true attack paths of a Distributed Denial of Service attack (DDoS attack), but also the true path of a single packet attack. However, hash-based IP traceback cannot identify attacker nodes themselves because it has no audit trail on the subnet's layer-2 network under the detected leaf router, which is the nearest node to an attacker node on a layer-3 network. We propose a layer-2 extension to hash-based IP traceback, which stores two identifiers with packets' audit trails while reducing the memory requirement for storing identifiers. One of these identifiers shows the leaf router's interface through which an attacking packet came, and the other represents the ingress port on a layer-2 switch through which the attacking packet came. We implement a prototype on FreeBSD and evaluate it in a preliminary experiment.

Recently, Hwang and Yeh demonstrated that Peyravian-Zunic's password authentication scheme is vulnerable to several attacks, and then proposed a modified version. In this letter, we show that Hwang-Yeh's scheme still has several weaknesses and drawbacks.