Cordeiro em Pele de Lobo: Desvelando a Negação de Serviço Baseada em Envenenamento de Reputação
Resumo
Sistemas de reputação são utilizados para medir a confiabilidade de usuários, dispositivos e serviços em ambientes digitais. Apesar de seu auxílio na segurança e na tomada de decisão, identificando interações maliciosas, esses sistemas estão sujeitos a manipulações que podem comprometer sua integridade. Este trabalho propõe e valida um novo vetor de ataque que explora sistemas de reputação para realizar negação de serviço contra usuários legítimos específicos. O ataque consiste em um agente malicioso que se passa pela vítima, executa ações maliciosas e induz sistemas automatizados a penalizá-la com base em sua reputação. A estratégia explora falhas na verificação de identidade em mecanismos de confiança baseados em comportamento. O ataque foi demonstrado por meio de experimentos com um serviço e um sistema de segurança reais, evidenciando sua efetividade em bloquear clientes legítimos a partir de um ataque triangulado e destacando a necessidade de explorar novos métodos de detecção e mitigação do ataque proposto.Referências
Antonakakis, M. et al. (2017). Understanding the mirai botnet. In Security Symposium, pages 1093–1110.
Antonioli, D. et al. (2020). Bias: Bluetooth impersonation attacks. In Symposium on Security and Privacy, pages 549–562. IEEE.
Babu, P. R. et al. (2010). A comprehensive analysis of spoofing. International Journal of Advanced Computer Science and Applications, 1(6).
Bhuyan, M. H. et al. (2014). Detecting distributed denial of service attacks: methods, tools and future directions. The Computer Journal, 57(4):537–556.
Esparza, J. M. (2019). Understanding the credential theft lifecycle. Computer Fraud & Security, 2019(2):6–9.
Etesami, S. R. et al. (2016). Conformity versus manipulation in reputation systems. In Conference on Decision and Control, pages 4451–4456. IEEE.
Fang, W. et al. (2016). Btres: Beta-based trust and reputation evaluation system for wireless sensor networks. Journal of Network and Computer Applications, 59:88–94.
Feitosa, D. d. L. and Garcia, L. S. (2016). Sistemas de reputação: um estudo sobre confiança e reputação no comércio eletrônico brasileiro. Revista de Administração Contemporânea, 20(1):84–105.
Friedman, E. et al. (2007). Manipulation-resistant reputation systems. Algorithmic Game Theory, 677.
Fulber-Garcia, V. et al. (2018). Demons: A ddos mitigation nfv solution. In International Conference on Advanced Information Networking and Applications, pages 769–776. IEEE.
Galloway, T. et al. (2024). Practical attacks against dns reputation systems. In Symposium on Security and Privacy, pages 4516–4534. IEEE.
Gao, Y. et al. (2018). Voice impersonation using generative adversarial networks. In International Conference on Acoustics, Speech and Signal Processing, pages 2506–2510. IEEE.
Google (2025). Políticas de spam para a Pesquisa Google na Web. Acessado em 19 de abril de 2025.
Günther, C. (2014). A survey of spoofing and counter-measures. NAVIGATION: Journal of the Institute of Navigation, 61(3):159–177.
Heinrich, T. et al. (2021). New kids on the drdos block: Characterizing multiprotocol and carpet bombing attacks. In International Conference on Passive and Active Network Measurement, pages 269–283. Springer.
Heinrich, T. et al. (2022). Um estudo de correlaçao de ataques drdos com fatores externos visando dados de honeypots. In Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg), pages 358–371. SBC.
Hendrikx, F. et al. (2015). Reputation systems: A survey and taxonomy. Journal of Parallel and Distributed Computing, 75:184–197.
Hiesgen, R. et al. (2024). The age of ddoscovery: an empirical comparison of industry and academic ddos assessments. In Internet Measurement Conference, pages 259–279. ACM.
Jonker, M. et al. (2017). Millions of targets under attack: a macroscopic characterization of the dos ecosystem. In Internet Measurement Conference, pages 100–113.
Jøsang, A. et al. (2007). A survey of trust and reputation systems for online service provision. Decision support systems, 43(2):618–644.
Jøsang, A. and Ismail, R. (2002). The beta reputation system. In Bled Electronic Commerce Conference, volume 160, pages 324–337.
Kholidy, H. A. (2021). Detecting impersonation attacks in cloud computing environments using a centric user profiling approach. Future Generation Computer Systems, 117:299–320.
Mirkovic, J. et al. (2004). Internet denial of service: attack and defense mechanisms (Radia Perlman Computer Networking and Security). Prentice Hall PTR.
Needham, R. M. (1993). Denial of service. In Conference on Computer and Communications Security, pages 151–153. ACM.
Park, S. et al. (2019). Anatomy of commercial imsi catchers and detectors. In Workshop on Privacy in the Electronic Society, pages 74–86. ACM.
Rakhra, M. et al. (2024). Digital signature verification in cloud computing. In International Conference on Reliability, Infocom Technologies and Optimization, pages 1–6. IEEE.
Rupprecht, D. et al. (2020). Imp4gt: Impersonation attacks in 4g networks. In Network and Distributed System Security Symposium. The Internet Society.
Sae-Bae, N. and Memon, N. (2014). Online signature verification on mobile devices. Transactions on Information Forensics and Security, 9(6):933–947.
Shrivastava, P. et al. (2020). Evilscout: Detection and mitigation of evil twin attack in sdn enabled wifi. Transactions on Network and Service Management, 17(1):89–102.
Sinha, S. et al. (2008). Shades of grey: On the effectiveness of reputation-based “blacklists”. In International Conference on Malicious and Unwanted Software, pages 57–64.
Thangavel, M. et al. (2017). Session hijacking over cloud environment: A literature survey. Advancing Cloud Database Systems and Capacity Planning With Dynamic Applications, pages 363–391.
Xiong, L. et al. (2007). Countering feedback sparsity and manipulation in reputation systems. In International Conference on Collaborative Computing: Networking, Applications and Worksharing, pages 203–212. IEEE.
Xu, H. et al. (2015). E-commerce reputation manipulation: The emergence of reputation-escalation-as-a-service. In International Conference on World Wide Web, pages 1296–1306.
Yan, S.-R. et al. (2015). A graph-based comprehensive reputation model: Exploiting the social context of opinions to enhance trust in social commerce. Information Sciences, 318:51–72.
You, X. et al. (2024). A reputation-based trust evaluation model in group decision-making framework. Information Fusion, 103:102082.
Antonioli, D. et al. (2020). Bias: Bluetooth impersonation attacks. In Symposium on Security and Privacy, pages 549–562. IEEE.
Babu, P. R. et al. (2010). A comprehensive analysis of spoofing. International Journal of Advanced Computer Science and Applications, 1(6).
Bhuyan, M. H. et al. (2014). Detecting distributed denial of service attacks: methods, tools and future directions. The Computer Journal, 57(4):537–556.
Esparza, J. M. (2019). Understanding the credential theft lifecycle. Computer Fraud & Security, 2019(2):6–9.
Etesami, S. R. et al. (2016). Conformity versus manipulation in reputation systems. In Conference on Decision and Control, pages 4451–4456. IEEE.
Fang, W. et al. (2016). Btres: Beta-based trust and reputation evaluation system for wireless sensor networks. Journal of Network and Computer Applications, 59:88–94.
Feitosa, D. d. L. and Garcia, L. S. (2016). Sistemas de reputação: um estudo sobre confiança e reputação no comércio eletrônico brasileiro. Revista de Administração Contemporânea, 20(1):84–105.
Friedman, E. et al. (2007). Manipulation-resistant reputation systems. Algorithmic Game Theory, 677.
Fulber-Garcia, V. et al. (2018). Demons: A ddos mitigation nfv solution. In International Conference on Advanced Information Networking and Applications, pages 769–776. IEEE.
Galloway, T. et al. (2024). Practical attacks against dns reputation systems. In Symposium on Security and Privacy, pages 4516–4534. IEEE.
Gao, Y. et al. (2018). Voice impersonation using generative adversarial networks. In International Conference on Acoustics, Speech and Signal Processing, pages 2506–2510. IEEE.
Google (2025). Políticas de spam para a Pesquisa Google na Web. Acessado em 19 de abril de 2025.
Günther, C. (2014). A survey of spoofing and counter-measures. NAVIGATION: Journal of the Institute of Navigation, 61(3):159–177.
Heinrich, T. et al. (2021). New kids on the drdos block: Characterizing multiprotocol and carpet bombing attacks. In International Conference on Passive and Active Network Measurement, pages 269–283. Springer.
Heinrich, T. et al. (2022). Um estudo de correlaçao de ataques drdos com fatores externos visando dados de honeypots. In Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg), pages 358–371. SBC.
Hendrikx, F. et al. (2015). Reputation systems: A survey and taxonomy. Journal of Parallel and Distributed Computing, 75:184–197.
Hiesgen, R. et al. (2024). The age of ddoscovery: an empirical comparison of industry and academic ddos assessments. In Internet Measurement Conference, pages 259–279. ACM.
Jonker, M. et al. (2017). Millions of targets under attack: a macroscopic characterization of the dos ecosystem. In Internet Measurement Conference, pages 100–113.
Jøsang, A. et al. (2007). A survey of trust and reputation systems for online service provision. Decision support systems, 43(2):618–644.
Jøsang, A. and Ismail, R. (2002). The beta reputation system. In Bled Electronic Commerce Conference, volume 160, pages 324–337.
Kholidy, H. A. (2021). Detecting impersonation attacks in cloud computing environments using a centric user profiling approach. Future Generation Computer Systems, 117:299–320.
Mirkovic, J. et al. (2004). Internet denial of service: attack and defense mechanisms (Radia Perlman Computer Networking and Security). Prentice Hall PTR.
Needham, R. M. (1993). Denial of service. In Conference on Computer and Communications Security, pages 151–153. ACM.
Park, S. et al. (2019). Anatomy of commercial imsi catchers and detectors. In Workshop on Privacy in the Electronic Society, pages 74–86. ACM.
Rakhra, M. et al. (2024). Digital signature verification in cloud computing. In International Conference on Reliability, Infocom Technologies and Optimization, pages 1–6. IEEE.
Rupprecht, D. et al. (2020). Imp4gt: Impersonation attacks in 4g networks. In Network and Distributed System Security Symposium. The Internet Society.
Sae-Bae, N. and Memon, N. (2014). Online signature verification on mobile devices. Transactions on Information Forensics and Security, 9(6):933–947.
Shrivastava, P. et al. (2020). Evilscout: Detection and mitigation of evil twin attack in sdn enabled wifi. Transactions on Network and Service Management, 17(1):89–102.
Sinha, S. et al. (2008). Shades of grey: On the effectiveness of reputation-based “blacklists”. In International Conference on Malicious and Unwanted Software, pages 57–64.
Thangavel, M. et al. (2017). Session hijacking over cloud environment: A literature survey. Advancing Cloud Database Systems and Capacity Planning With Dynamic Applications, pages 363–391.
Xiong, L. et al. (2007). Countering feedback sparsity and manipulation in reputation systems. In International Conference on Collaborative Computing: Networking, Applications and Worksharing, pages 203–212. IEEE.
Xu, H. et al. (2015). E-commerce reputation manipulation: The emergence of reputation-escalation-as-a-service. In International Conference on World Wide Web, pages 1296–1306.
Yan, S.-R. et al. (2015). A graph-based comprehensive reputation model: Exploiting the social context of opinions to enhance trust in social commerce. Information Sciences, 318:51–72.
You, X. et al. (2024). A reputation-based trust evaluation model in group decision-making framework. Information Fusion, 103:102082.
Publicado
01/09/2025
Como Citar
FRASÃO, Anderson; MACHNICKI, Raphael Kaviak; HEINRICH, Tiago; FULBER-GARCIA, Vinicius.
Cordeiro em Pele de Lobo: Desvelando a Negação de Serviço Baseada em Envenenamento de Reputação. In: SIMPÓSIO BRASILEIRO DE CIBERSEGURANÇA (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 273-288.
DOI: https://doi.org/10.5753/sbseg.2025.10387.
