Wolf in Sheep's Clothing: Unveiling Reputation Poisoning-Based Denial of Service
Abstract
Reputation systems are used to measure the reliability of users, devices and services in digital environments. Although they help with security and decision-making by identifying malicious interactions, these systems are subject to manipulation that can compromise their integrity. This work proposes and validates a new attack vector that exploits reputation systems to carry out denial of service against legitimate users. The attack consists of a malicious agent that impersonates the victim, executes offensive actions and induces automated systems to penalize it based on its reputation. The strategy exploits identity verification flaws in behavior-based trust mechanisms. The attack was demonstrated through experiments with a real service and security system, highlighting its effectiveness in blocking legitimate clients through a triangulated attack and emphasizing the need to explore new methods for detecting and mitigating the proposed attack.References
Antonakakis, M. et al. (2017). Understanding the mirai botnet. In Security Symposium, pages 1093–1110.
Antonioli, D. et al. (2020). Bias: Bluetooth impersonation attacks. In Symposium on Security and Privacy, pages 549–562. IEEE.
Babu, P. R. et al. (2010). A comprehensive analysis of spoofing. International Journal of Advanced Computer Science and Applications, 1(6).
Bhuyan, M. H. et al. (2014). Detecting distributed denial of service attacks: methods, tools and future directions. The Computer Journal, 57(4):537–556.
Esparza, J. M. (2019). Understanding the credential theft lifecycle. Computer Fraud & Security, 2019(2):6–9.
Etesami, S. R. et al. (2016). Conformity versus manipulation in reputation systems. In Conference on Decision and Control, pages 4451–4456. IEEE.
Fang, W. et al. (2016). Btres: Beta-based trust and reputation evaluation system for wireless sensor networks. Journal of Network and Computer Applications, 59:88–94.
Feitosa, D. d. L. and Garcia, L. S. (2016). Sistemas de reputação: um estudo sobre confiança e reputação no comércio eletrônico brasileiro. Revista de Administração Contemporânea, 20(1):84–105.
Friedman, E. et al. (2007). Manipulation-resistant reputation systems. Algorithmic Game Theory, 677.
Fulber-Garcia, V. et al. (2018). Demons: A ddos mitigation nfv solution. In International Conference on Advanced Information Networking and Applications, pages 769–776. IEEE.
Galloway, T. et al. (2024). Practical attacks against dns reputation systems. In Symposium on Security and Privacy, pages 4516–4534. IEEE.
Gao, Y. et al. (2018). Voice impersonation using generative adversarial networks. In International Conference on Acoustics, Speech and Signal Processing, pages 2506–2510. IEEE.
Google (2025). Políticas de spam para a Pesquisa Google na Web. Acessado em 19 de abril de 2025.
Günther, C. (2014). A survey of spoofing and counter-measures. NAVIGATION: Journal of the Institute of Navigation, 61(3):159–177.
Heinrich, T. et al. (2021). New kids on the drdos block: Characterizing multiprotocol and carpet bombing attacks. In International Conference on Passive and Active Network Measurement, pages 269–283. Springer.
Heinrich, T. et al. (2022). Um estudo de correlaçao de ataques drdos com fatores externos visando dados de honeypots. In Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg), pages 358–371. SBC.
Hendrikx, F. et al. (2015). Reputation systems: A survey and taxonomy. Journal of Parallel and Distributed Computing, 75:184–197.
Hiesgen, R. et al. (2024). The age of ddoscovery: an empirical comparison of industry and academic ddos assessments. In Internet Measurement Conference, pages 259–279. ACM.
Jonker, M. et al. (2017). Millions of targets under attack: a macroscopic characterization of the dos ecosystem. In Internet Measurement Conference, pages 100–113.
Jøsang, A. et al. (2007). A survey of trust and reputation systems for online service provision. Decision support systems, 43(2):618–644.
Jøsang, A. and Ismail, R. (2002). The beta reputation system. In Bled Electronic Commerce Conference, volume 160, pages 324–337.
Kholidy, H. A. (2021). Detecting impersonation attacks in cloud computing environments using a centric user profiling approach. Future Generation Computer Systems, 117:299–320.
Mirkovic, J. et al. (2004). Internet denial of service: attack and defense mechanisms (Radia Perlman Computer Networking and Security). Prentice Hall PTR.
Needham, R. M. (1993). Denial of service. In Conference on Computer and Communications Security, pages 151–153. ACM.
Park, S. et al. (2019). Anatomy of commercial imsi catchers and detectors. In Workshop on Privacy in the Electronic Society, pages 74–86. ACM.
Rakhra, M. et al. (2024). Digital signature verification in cloud computing. In International Conference on Reliability, Infocom Technologies and Optimization, pages 1–6. IEEE.
Rupprecht, D. et al. (2020). Imp4gt: Impersonation attacks in 4g networks. In Network and Distributed System Security Symposium. The Internet Society.
Sae-Bae, N. and Memon, N. (2014). Online signature verification on mobile devices. Transactions on Information Forensics and Security, 9(6):933–947.
Shrivastava, P. et al. (2020). Evilscout: Detection and mitigation of evil twin attack in sdn enabled wifi. Transactions on Network and Service Management, 17(1):89–102.
Sinha, S. et al. (2008). Shades of grey: On the effectiveness of reputation-based “blacklists”. In International Conference on Malicious and Unwanted Software, pages 57–64.
Thangavel, M. et al. (2017). Session hijacking over cloud environment: A literature survey. Advancing Cloud Database Systems and Capacity Planning With Dynamic Applications, pages 363–391.
Xiong, L. et al. (2007). Countering feedback sparsity and manipulation in reputation systems. In International Conference on Collaborative Computing: Networking, Applications and Worksharing, pages 203–212. IEEE.
Xu, H. et al. (2015). E-commerce reputation manipulation: The emergence of reputation-escalation-as-a-service. In International Conference on World Wide Web, pages 1296–1306.
Yan, S.-R. et al. (2015). A graph-based comprehensive reputation model: Exploiting the social context of opinions to enhance trust in social commerce. Information Sciences, 318:51–72.
You, X. et al. (2024). A reputation-based trust evaluation model in group decision-making framework. Information Fusion, 103:102082.
Antonioli, D. et al. (2020). Bias: Bluetooth impersonation attacks. In Symposium on Security and Privacy, pages 549–562. IEEE.
Babu, P. R. et al. (2010). A comprehensive analysis of spoofing. International Journal of Advanced Computer Science and Applications, 1(6).
Bhuyan, M. H. et al. (2014). Detecting distributed denial of service attacks: methods, tools and future directions. The Computer Journal, 57(4):537–556.
Esparza, J. M. (2019). Understanding the credential theft lifecycle. Computer Fraud & Security, 2019(2):6–9.
Etesami, S. R. et al. (2016). Conformity versus manipulation in reputation systems. In Conference on Decision and Control, pages 4451–4456. IEEE.
Fang, W. et al. (2016). Btres: Beta-based trust and reputation evaluation system for wireless sensor networks. Journal of Network and Computer Applications, 59:88–94.
Feitosa, D. d. L. and Garcia, L. S. (2016). Sistemas de reputação: um estudo sobre confiança e reputação no comércio eletrônico brasileiro. Revista de Administração Contemporânea, 20(1):84–105.
Friedman, E. et al. (2007). Manipulation-resistant reputation systems. Algorithmic Game Theory, 677.
Fulber-Garcia, V. et al. (2018). Demons: A ddos mitigation nfv solution. In International Conference on Advanced Information Networking and Applications, pages 769–776. IEEE.
Galloway, T. et al. (2024). Practical attacks against dns reputation systems. In Symposium on Security and Privacy, pages 4516–4534. IEEE.
Gao, Y. et al. (2018). Voice impersonation using generative adversarial networks. In International Conference on Acoustics, Speech and Signal Processing, pages 2506–2510. IEEE.
Google (2025). Políticas de spam para a Pesquisa Google na Web. Acessado em 19 de abril de 2025.
Günther, C. (2014). A survey of spoofing and counter-measures. NAVIGATION: Journal of the Institute of Navigation, 61(3):159–177.
Heinrich, T. et al. (2021). New kids on the drdos block: Characterizing multiprotocol and carpet bombing attacks. In International Conference on Passive and Active Network Measurement, pages 269–283. Springer.
Heinrich, T. et al. (2022). Um estudo de correlaçao de ataques drdos com fatores externos visando dados de honeypots. In Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg), pages 358–371. SBC.
Hendrikx, F. et al. (2015). Reputation systems: A survey and taxonomy. Journal of Parallel and Distributed Computing, 75:184–197.
Hiesgen, R. et al. (2024). The age of ddoscovery: an empirical comparison of industry and academic ddos assessments. In Internet Measurement Conference, pages 259–279. ACM.
Jonker, M. et al. (2017). Millions of targets under attack: a macroscopic characterization of the dos ecosystem. In Internet Measurement Conference, pages 100–113.
Jøsang, A. et al. (2007). A survey of trust and reputation systems for online service provision. Decision support systems, 43(2):618–644.
Jøsang, A. and Ismail, R. (2002). The beta reputation system. In Bled Electronic Commerce Conference, volume 160, pages 324–337.
Kholidy, H. A. (2021). Detecting impersonation attacks in cloud computing environments using a centric user profiling approach. Future Generation Computer Systems, 117:299–320.
Mirkovic, J. et al. (2004). Internet denial of service: attack and defense mechanisms (Radia Perlman Computer Networking and Security). Prentice Hall PTR.
Needham, R. M. (1993). Denial of service. In Conference on Computer and Communications Security, pages 151–153. ACM.
Park, S. et al. (2019). Anatomy of commercial imsi catchers and detectors. In Workshop on Privacy in the Electronic Society, pages 74–86. ACM.
Rakhra, M. et al. (2024). Digital signature verification in cloud computing. In International Conference on Reliability, Infocom Technologies and Optimization, pages 1–6. IEEE.
Rupprecht, D. et al. (2020). Imp4gt: Impersonation attacks in 4g networks. In Network and Distributed System Security Symposium. The Internet Society.
Sae-Bae, N. and Memon, N. (2014). Online signature verification on mobile devices. Transactions on Information Forensics and Security, 9(6):933–947.
Shrivastava, P. et al. (2020). Evilscout: Detection and mitigation of evil twin attack in sdn enabled wifi. Transactions on Network and Service Management, 17(1):89–102.
Sinha, S. et al. (2008). Shades of grey: On the effectiveness of reputation-based “blacklists”. In International Conference on Malicious and Unwanted Software, pages 57–64.
Thangavel, M. et al. (2017). Session hijacking over cloud environment: A literature survey. Advancing Cloud Database Systems and Capacity Planning With Dynamic Applications, pages 363–391.
Xiong, L. et al. (2007). Countering feedback sparsity and manipulation in reputation systems. In International Conference on Collaborative Computing: Networking, Applications and Worksharing, pages 203–212. IEEE.
Xu, H. et al. (2015). E-commerce reputation manipulation: The emergence of reputation-escalation-as-a-service. In International Conference on World Wide Web, pages 1296–1306.
Yan, S.-R. et al. (2015). A graph-based comprehensive reputation model: Exploiting the social context of opinions to enhance trust in social commerce. Information Sciences, 318:51–72.
You, X. et al. (2024). A reputation-based trust evaluation model in group decision-making framework. Information Fusion, 103:102082.
Published
2025-09-01
How to Cite
FRASÃO, Anderson; MACHNICKI, Raphael Kaviak; HEINRICH, Tiago; FULBER-GARCIA, Vinicius.
Wolf in Sheep's Clothing: Unveiling Reputation Poisoning-Based Denial of Service. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 273-288.
DOI: https://doi.org/10.5753/sbseg.2025.10387.
