Bulletproof Hosting Defense: Practical CISA Playbook for ISPs

CISA and a coalition of U.S. and international partners this week published a practical playbook aimed at choking off a persistent enabler of organized cybercrime: bulletproof hosting (BPH) providers that knowingly lease infrastructure to threat actors and ignore abuse takedowns. The new Cybersecurity Information Sheet, titled Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers, delivers clear operational steps for Internet Service Providers (ISPs) and network defenders — from curating malicious resource lists and applying targeted filters to logging Autonomous System Numbers (ASNs) and sharing intelligence — with the explicit goal of reducing BPH utility while minimizing collateral impact to legitimate traffic. The guidance is being circulated jointly by CISA and a range of partners, and was publicized alongside statements from the National Security Agency and allied CERTs and law‑enforcement entities.

Background​

Bulletproof hosting providers are a specialized slice of the hosting market that markets itself on tolerance for abuse — offering customers anonymity, minimal or no response to abuse complaints, and infrastructure designed to resist takedown. That structure makes them attractive to ransomware operators, phishers, botnet controllers, and malware distributors. The problem is rising from two converging trends: (1) criminal ecosystems that monetize resilience — offering resilient DNS, fast‑flux capabilities, and anonymized payment and registration chains — and (2) an operating environment where ISPs, hosting providers, and device manufacturers have not uniformly adopted protective defaults or verifiable customer vetting. The risk is both tactical (immediate attacks hosted on BPH infrastructure) and systemic (criminal economies sustained by resilient infrastructure). International enforcement actions and sanctions against BPH services during 2025 show the scale and seriousness of the problem.

---

What CISA’s guide says — concise summary​

The guide frames BPH as an imminent and significant risk to resilience and public safety, and advocates a layered, careful approach for ISPs and network defenders to blunt its effectiveness. Its core recommendations — presented as operational, low‑to‑moderate risk steps that can be implemented quickly — are:

• Curate malicious resource lists using threat intelligence feeds and sharing channels to maintain up‑to‑date blocklists for domains, IPs, and ASNs.
• Apply filters that block malicious traffic at appropriate network choke points while preserving legitimate flows.
• Analyze traffic continuously for anomalies and use telemetry to refine blocklists and filter rules.
• Log and alert on ASNs and IPs, keep logs current, and use those records to escalate to upstream providers or law enforcement.
• Share intelligence with public and private partners to accelerate remediation and takedown actions.

For ISPs specifically, the guide recommends:

• Customer notification and opt‑out options when filters or blocklists might affect legitimate customers.
• Providing premade filters for customers to deploy in their networks.
• Establishing accountability standards and codes of conduct with peer ISPs to reduce abuse.
• Collecting and verifying customer identity to prevent BPH actors from leasing infrastructure anonymously.

These recommendations are designed to reduce the operational value of BPH infrastructure without endorsing blunt tactics that would indiscriminately block legitimate Internet users. The guide is a pragmatic mix of technical controls, operational playbooks, and cooperative governance measures.

Why this matters now​

Multiple contemporaneous signals make the guide timely and necessary:

• Governments and law enforcement are increasingly moving from ad hoc takedowns toward coordinated disruption and sanctions against BPH networks — a trend underscored by recent multi‑jurisdictional seizures and penalties. These enforcement steps reduce BPH capacity in the short term but do not remove the root causes that produce new BPH offerings.
• Attackers exploit resilience features — fast flux, dynamic DNS rotation, and anonymized proxies — to hide command‑and‑control and hosting for malware, and to complicate takedown. CISA and partner advisories on fast‑flux and related techniques have repeatedly documented how these behaviors frustrate traditional IP‑based blocking.
• Cloud providers and CDNs have demonstrated strong mitigation capability for high‑profile, volumetric events, but smaller providers and edge ISPs remain exposed; BPH infrastructure often sits in the regions and providers least prepared to act quickly and cooperatively. Operational best practices for mitigation therefore must include ISPs, not only large cloud platforms.

---

Deep dive: the guide’s operational controls and how to implement them​

The guide intentionally focuses on operational controls ISPs and network defenders can adopt without major policy changes. Below we translate those recommendations into practical, prioritized actions for implementation.

Curate malicious resource lists — how and where to start​

• Aggregate multiple threat intelligence sources: commercial CTI feeds, open‑source blocklists, national CERTs, and peer sharing arrangements.
• Normalize detection artifacts to a consistent format (IP, ASN, domain, certificate fingerprint).
• Apply reputation scoring and tiered action: high‑confidence indicators → automatic block; lower confidence → monitor & alert.

Benefits include the ability to rapidly translate intelligence into enforced controls. The risk is false positives; to mitigate that, use staged deployment: monitor → redirect/quarantine → block. This approach is consistent with industry playbooks that recommend testing blocklists against production telemetry before enforcement.

Implement filters with minimal collateral damage​

• Push controls to the network edge or upstream scrubbing points to discard malicious flows before they consume core capacity.
• Use graduated policies (rate‑limit, challenge, then block) instead of hard block rules for borderline indicators.
• Use proof‑of‑work or progressive challenge mechanisms for application‑layer abuse rather than immediate CAPTCHA to reduce user friction.

A layered filter strategy preserves legitimate traffic while giving defenders multiple degrees of freedom to escalate enforcement. It also reduces the operational burden of wholesale IP blacklists that can penalize shared cloud addresses or carrier NAT ranges.

Analyze traffic and maintain telemetry​

• Instrument for both bandwidth (Gbps/Tbps) and packet‑rate (pps) anomalies — modern attacks target packet‑processing capacity as much as raw throughput.
• Maintain per‑subscriber and per‑prefix metrics to enable rapid quarantine and targeted throttling.
• Retain logs long enough to support takedown requests and law‑enforcement investigations (subject to legal constraints).

High‑fidelity telemetry is critical for distinguishing legitimate bursts (e.g., CDN cache warmup) from malicious use. Service providers should automate alarms and playbooks triggered by combined bps/pps thresholds.

Logging, ASN tracking, and escalation pathways​

• Record ASNs and origin IPs associated with suspicious flows and correlate them with historical abuse patterns.
• Maintain standardized escalation templates (who to contact at upstream providers, CERTs, or law enforcement) and an evidence bundle format that includes meta‑telemetry, flow captures, and timestamps.
• Consider automated takedown or upstream suppression requests when persistent malicious infrastructure is traced to specific ASNs.

The guide emphasizes documentation and chain‑of‑custody readiness so network actions can be matched with investigative follow‑up.

Threat intelligence sharing — practical modes​

• Join or create ISACs, regional CERT sharing groups, and automated exchange channels (STIX/TAXII).
• Share anonymized indicators where legal/privacy constraints prevent full data exchange.
• Work with cloud providers to exchange telemetry that helps map malicious campaigns across service boundaries.

Collective intelligence raises detection speed and reduces duplicated work; it is one of the most cost‑effective defenses the guide recommends.

---

Additional recommendations for ISPs: operational and commercial actions​

CISA’s guide makes ISP‑specific suggestions that range from technical to policy:

• Customer notification and opt‑out: Notify customers before applying filters that could affect service, and provide opt‑out or appeal mechanisms to reduce churn or regulatory exposure.
• Premade filter packages: Offer customers curated filter sets they can apply in their own networks — a managed security offering that also reduces the provider’s monitoring burden.
• Codes of conduct and vetting: Collaborate with peer ISPs to set abuse‑prevention standards and require stronger Know‑Your‑Customer (KYC) practices for hosting and colocation customers.

Adopting these measures helps ISPs move from a purely reactive posture to a preventive stance. However, firms must design opt‑out and notification workflows carefully; poorly executed notifications or opaque filtering policies risk customer backlash or regulatory scrutiny.

---

Strengths of the guide​

• Operational realism: The guide avoids sweeping legal recommendations in favor of immediately actionable technical controls that ISPs and network defenders can implement quickly.
• Balanced risk approach: It recognizes the risk of collateral harm and suggests staged measures, opt‑outs, and verification steps rather than blunt blocks.
• Multi‑stakeholder framing: By co‑sealing the guidance with international partners and law‑enforcement‑adjacent agencies, the message reaches a broader operational audience and supports cross‑border cooperation.

---

Limitations and risks — what defenders must watch for​

• False positives and legitimate traffic disruption — Aggressive ASN/IP blocking can disrupt content delivery networks and legitimate cloud providers. Test and stage filters, and use graduated actions to reduce business impact.
• Attribution and measurement challenges — Short, bursty attacks and fast‑flux resolution complicate attribution; metrics like “peak Tbps” are sensitive to vantage point. Treat headline numbers with caution unless raw telemetry is available.
• Privacy and legal constraints — Collecting and storing subscriber data for vetting conflicts with local privacy laws in many jurisdictions. ISPs should consult counsel and maintain transparency when policy changes affect customer privacy.
• Operational capacity — Smaller ISPs may lack telemetry, automation, or scrubbing capacity; expecting uniform adoption without support mechanisms may leave gaps. Offer peer support, managed services, or graduated compliance timelines.
• Economics of evasion — As defenders harden BPH, criminals adapt: residential proxies, brand‑spoofed cloud traffic, and anonymized payment chains make simple blocks less effective. Continuous intelligence and policy levers (sanctions, local enforcement) remain necessary complements to technical controls.

---

Rapid implementation checklist for ISPs and network defenders​

The guide’s recommendations are designed to be implemented across short horizons; this checklist synthesizes best practices into prioritized actions.
Immediate (0–7 days)

• Confirm DDoS/edge protection is enabled for all public IPs and CDN endpoints.
• Subscribe to at least two reputable threat‑intelligence feeds and integrate them into monitoring.
• Turn on logging for ASN and IP origin, and set alerts for sudden pps/bps anomalies.

Short term (1–3 months)

• Implement staged filtering: monitor → challenge/redirect → rate‑limit → block.
• Offer premade filters for customers and publish clear notification/appeal procedures.
• Run tabletop exercises with vendors, upstream ISPs, and law enforcement escalation points.

Mid term (3–12 months)

• Deploy per‑subscriber egress policing and automated quarantine workflows for infected CPE.
• Participate in regional intelligence sharing and bulk indicator exchange (STIX/TAXII).
• Establish KYC procedures and contract language requiring cooperation on abuse remediation for hosting customers.

---

Policy context and international enforcement​

Technical mitigation alone will not eliminate BPH. Recent law‑enforcement moves and sanctions show a multi‑pronged approach is already in play: takedowns of BPH infrastructure in Europe and OFAC sanctions against service providers have degraded some criminal hosting options, but new BPH offerings reappear in permissive jurisdictions or via rebranded entities. Coordinated policy responses — sanctions, targeted enforcement, and minimum security requirements for hosting registrars and edge device manufacturers — will be necessary to raise the floor for safe Internet operation. The guide positions technical controls as complementary to these measures.

---

Practical case study: upstream suppression vs. origin blocking​

A common question is whether to block a hostile origin immediately or to suppress it upstream. The guide and industry practice recommend upstream suppression (drop malicious flows at the provider backbone or at peering edges) where possible, because it reduces the risk of overblocking shared cloud addresses and preserves last‑mile connectivity. When the malicious traffic can be traced to an ASN that persistently refuses to remediate, escalated actions — including coordinated peer filtering or working through law enforcement — are appropriate. Evidence from recent DDoS incidents shows upstream suppression combined with cloud scrubbing preserves availability for victims while isolating the hostile infrastructure.

---

Final assessment — what defenders gain, and what to watch​

CISA’s Bulletproof Defense is a useful, pragmatic toolkit that helps ISPs and network defenders translate strategic goals (reduce BPH effectiveness) into tactical actions (filters, telemetry, intelligence sharing). Its greatest value is operational: it reduces friction for defenders by describing concrete implementations and emphasizing staged, measured responses that limit collateral harm.
That said, the guide is not a silver bullet. Technical controls can force criminals to more costly hosting models, but they cannot by themselves eliminate the incentives that sustain BPH markets. Success requires:

• Continued investment in telemetry and automation across ISPs and cloud providers.
• Legal and policy levers to make persistent non‑cooperation by BPH economically risky.
• Device and supply‑chain changes that reduce the pool of vulnerable endpoints used as proxies or botnet nodes.

Implementing CISA’s recommendations will make it harder — but not impossible — for criminal operators to hide. The combination of technical hardening, ecosystem cooperation, and targeted enforcement offers the most realistic path to reducing harm at scale.

---

Bottom line for Windows admins, ISPs, and network defenders​

• Prioritize telemetry: monitor both packet‑rate and throughput; enable alerts on deviations.
• Translate intelligence into staged enforcement: test blocklists, use challenges and rate‑limits, then block when confidence is high.
• Coordinate: share indicators with peers, engage upstream ISPs for suppression, and document escalation paths for law enforcement.

CISA’s guide gives operators a practical, risk‑aware roadmap to reduce the effectiveness of bulletproof hosting infrastructure. Where it helps most is in clarifying how to act operationally without breaking the Internet for legitimate users — but the long game will still require coordinated policy, supplier accountability, and cross‑border enforcement to shrink the shelter BPH providers afford to criminal operators.

---

Source: CISA CISA Releases Guide to Mitigate Risks from Bulletproof Hosting Providers | CISA