Issue No. 11 - November (2009 vol. 20)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TPDS.2008.255
Wei Zhao , University of Macau, Macau
Xun Wang , Cisco Systems Inc., San Jose
Xinwen Fu , University of Massachusetts Lowell, Lowell
Dong Xuan , Ohio State University, Columbus
Wei Yu , Towson University, Towson
Internet threat monitoring (ITM) systems have been deployed to detect widespread attacks on the Internet in recent years. However, the effectiveness of ITM systems critically depends on the confidentiality of the location of their monitors. If adversaries learn the monitor locations of an ITM system, they can bypass the monitors and focus on the uncovered IP address space without being detected. In this paper, we study a new class of attacks, the invisible LOCalization (iLOC) attack. The iLOC attack can accurately and invisibly localize monitors of ITM systems. In the iLOC attack, the attacker launches low-rate port-scan traffic, encoded with a selected pseudonoise code (PN-code), to targeted networks. While the secret PN-code is invisible to others, the attacker can accurately determine the existence of monitors in the targeted networks based on whether the PN-code is embedded in the report data queried from the data center of the ITM system. We formally analyze the impact of various parameters on attack effectiveness. We implement the iLOC attack and conduct the performance evaluation on a real-world ITM system to demonstrate the possibility of such attacks. We also conduct extensive simulations on the iLOC attack using real-world traces. Our data show that the iLOC attack can accurately identify monitors while being invisible to ITM systems. Finally, we present a set of guidelines to counteract the iLOC attack.
Internet threat monitoring systems, invisible localization attack, PN-code, security.
Wei Zhao, Xun Wang, Xinwen Fu, Dong Xuan, Wei Yu, "An Invisible Localization Attack to Internet Threat Monitors", IEEE Transactions on Parallel & Distributed Systems, vol. 20, no. , pp. 1611-1625, November 2009, doi:10.1109/TPDS.2008.255