News Own Your Online External Link Report it
News Own Your Online External Link
Joint Guidance

Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers

This document provides internet service providers (ISPs) and network defenders recommendations to mitigate potential cybercriminal activity enabled by bulletproof hosting (BPH) providers

Roles & Audiences

IT Specialist Government Large organisations

PUBLISHED DATE: 21 November 2025

A bulletproof hosting (BPH) provider is an internet infrastructure provider that knowingly and intentionally markets and leases their infrastructure to cybercriminals. BPH providers lease their own infrastructure to cybercriminals. Increasingly, they resell stolen or leased infrastructure from legitimate hosting providers, data centres, ISPs, or cloud service providers who may unknowingly enable BPH providers to provide infrastructure to cybercriminals.

BPH providers market their infrastructure as “bulletproof” to cybercriminals.

The guidance encourages both ISPs and network defenders to follow the recommended mitigations. It includes recommendations for both ISPs and network defenders, and recommendations tailored specifically for ISPs.

Recommendations ISPs and network defenders can take the following actions to mitigate malicious activity enabled by BPH providers:

  • Curate a list of “high confidence” malicious internet resources.
  • Conduct traffic analysis to supplement your organisation’s malicious internet resources list.
  • Conduct automated and regular reviews of the curated malicious internet resources list.
  • Share threat intelligence findings.
  • Configure your organisation’s centralised event logging system to leverage the malicious internet resources list.
  • Implement filters.
  • Use upstream providers that follow Secure by Design principles.

ISPs can play a crucial role in reducing cyber threats by taking the following actions that decrease the utility of BPH infrastructure:

  • Notify customers about malicious internet resource lists and associated filters.
  • Create filters that customers can apply in their own networks.
  • Form standards and norms for ISP accountability.
  • Establish “know your customer” capabilities.
  • Implement internet routing security best practices

ISPs and network defenders should apply the recommendations only after weighing the associated risks, ensuring that actions taken do not unduly impact legitimate infrastructure.

Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers [PDF, 1.1 MB]

Topics

Incident management Mitigations Threat detection