iLOC: An invisible LOCalization Attack to Internet Threat Monitoring Systems

In this paper, we study a new class of attacks, the invisible LOCalization (iLOC) attack, which can accurately and invisibly localize monitors of Internet threat monitoring (ITM) systems, a class of widely deployed facilities to characterize Internet threats, such as worm propagation, denial-of-service (DoS) attacks. In the iLOC attack, the attacker launches low-rate port-scan traffic, encoded with a selected pseudo-noise code (PN- code), to targeted networks. While the secret PN-code is invisible to others, the attacker can accurately determine the existence of monitors in the targeted networks based on whether the PN-code is embedded in the report data queried from the data center of the ITM system. We conduct extensive simulations on the iLOC attack using real-world traces. Our data demonstrate that the iLOC attack can accurately identify monitors while remaining invisible to the ITM. Finally, we present a set of guidelines to counteract the iLOC attack.