An attacker's connection can propagate quickly to different parts of a transparent All-Optical Network. Such attacks affect the normal traffic and cause a quality of service degradation or outright service denial. Attack monitors can collect the information of each link and each node to help diagnose the attacker's exact location.Quick detection and localization of an attack source helps avoid losing large amounts of data in an all-optical network. However, to detect attack sources, it is not necessary to put monitors on all nodes. Since not every wavelength on every link is being used all the time, we propose to use the idle wavelengths to setup diagnostic connections and obtain the necessary information needed for diagnosis purposes. We show that placing a relatively small number of monitors at some key nodes in a network is sufficient to achieve level of performance. However, the monitor placement policy, routing policy, and diagnosis method are challenging problems.We, in this paper, first develop a monitor placement policy, a test connection policy, and a routing policy based on our definition of crosstalk attack and monitor node models. With these policies, we show that we can always detect and localize the malicious connections as long as there is no more than one malicious connection on each wavelength in the whole network. After this, we develop a scalable diagnosis method, which can localize the sources of the such malicious attacks in a fast manner.