防弹防御：防范防弹托管服务商的风险

Bulletproof Defense: Mitigating Risks FromBulletproof Hosting Providers Publication: November 19, 2025 U.S. Cybersecurity and Infrastructure Security AgencyU.S. National Security AgencyU.S. Department of Defense Cyber Crime CenterU.S. Federal Bureau of InvestigationAustralian Signals Directorate’s Australian Cyber SecurityCentre Canadian Centre for Cyber SecurityNetherlands National Cyber Security CentreNew Zealand National Cyber Security CentreUnited Kingdom National Cyber Security Centre This document is marked TLP:CLEAR. Disclosure is not limited. Sources may use TLP:CLEAR when information carriesminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subjectto standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on theTraffic Light Protocol, see Traffic Light Protocol (TLP) Definitions and Usage.TLP:CLEAR Introduction This document was developed through theJoint Ransomware Task Force (JRTF), a U.S. interagency bodyestablished by Congress in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) toensure unity of effort in combating the growing threat of ransomware attacks. This document provides internet service providers (ISPs) and network defenders recommendations tomitigate potential cybercriminal activity enabled by bulletproof hosting (BPH) providers. This document isauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the following partners:1 U.S. National Security Agency (NSA)U.S. Department of Defense Cyber Crime Center (DC3)U.S. Federal Bureau of Investigation (FBI)Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)Canadian Centre for Cyber Security (Cyber Centre)Netherlands National Cyber Security Centre (NCSC-NL)New Zealand National Cyber Security Centre (NCSC-NZ)United Kingdom National Cyber Security Centre (NCSC-UK) A BPH provider is an internet infrastructure provider that knowingly and intentionally markets and leasestheir infrastructure to cybercriminals. The authoring agencies have observed a marked increase incybercriminal actors using BPH infrastructure to support cyber operations against critical infrastructure,financial institutions, and other high-value targets. BPH providers continue to pose a significant risk to theresilience and safety of critical systems and services. Mitigating cybercriminal activity enabled by BPH providers requires a nuanced approach because BPHinfrastructure is integrated into legitimate internet infrastructure systems, and actions from ISPs ornetwork defenders may impact legitimate activity. The authoring agencies encourage ISPs and networkdefenders to apply the recommendations in this document, including curating a list of “high confidence”malicious internet resources and using the list to implement filters. By doing so, ISPs and networkdefenders can mitigate cybercriminal activity perpetuated by BPH infrastructure. This will help reduce theeffectiveness of this infrastructure and potentially force cybercriminals to use legitimate infrastructureproviders who are responsive to cyber threat abuse complaints and law enforcement takedown requests. Bulletproof Hosting Providers BPH providers lease their own infrastructure to cybercriminals. Increasingly, they resell stolen or leasedinfrastructure from legitimate hosting providers, data centers, ISPs, or cloud service providers who mayunknowingly enable BPH providers to provide infrastructure to cybercriminals. BPH providers are able to market their infrastructure as “bulletproof” to cybercriminals because they donot engage in good faith with legal processes (such as subpoenas or court orders) and third-party or victimcomplaints of malicious2activity enabled from such infrastructure. For example, some BPH providersimpose onerous documentation requirements before accommodating a third-party (i.e., law enforcement)takedown request.3 With the “bulletproof” assurance, cybercriminals use this infrastructure forobfuscation via fast fluxtechniques, command and control, malware delivery, phishing, and hosting illicit content in support of avariety of malicious cyber activities, such as ransomware, data extortion, and denial of service (DoS)attacks. Bulletproof Hosting and Legitimate Infrastructure BPH infrastructure is integrated into legitimate internet infrastructure systems, making it difficult fordefenders to mitigate the cybercriminal activity. BPH infrastructure is part of a network or group ofnetworks known as an Autonomous System (AS), where each AS has a unique identifier known as anAutonomous System Number (ASN). Blocking activity from the entire AS by leveraging the ASN may beineffective in preventing malicious activity as: The defensive filters may unduly impact legitimate traffic. Cybercriminals often spread their BPHinfrastructure across multiple ASes to avoid detection and mitigation, ensuring tha