NSA Releases Security Recommendations For Internet Providers and Network Defense Teams

The National Security Agency (NSA), along with the Cybersecurity and Infrastructure Security Agency (CISA) and several international partners, released a new guide on November 19, 2025, to help internet service providers (ISPs) and network defense teams combat cyber threats from bulletproof hosting (BPH) providers.

This document, titled “Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers,” comes from the Joint Ransomware Task Force (JRTF), created under the 2022 Cyber Incident Reporting for Critical Infrastructure Act.

It highlights how BPH services fuel ransomware, data extortion, and attacks on critical infrastructure by offering resilient networks that ignore legal takedown requests.

The guide stresses the need for a careful strategy to block malicious traffic without harming legitimate users, as BPH often hides within standard internet systems.​

BPH providers intentionally rent servers and networks to cybercriminals, promising “bulletproof” protection against shutdowns.

They lease their own setups or resell stolen resources from honest data centers, cloud services like AWS, or even unwitting ISPs.

These operators dodge subpoenas, court orders, and abuse reports by demanding excessive proof before acting, allowing crimes to persist.

Cyber attackers use this infrastructure for evasive tactics, such as fast-flux DNS, in which domain names rapidly switch IP addresses to avoid blocks.

Typical uses include command-and-control servers for malware, phishing sites, and hosting stolen data, all of which support denial-of-service floods or ransomware payloads.

The challenge lies in BPH’s blend with everyday internet traffic. These networks operate within Autonomous Systems (AS), each identified by a unique Autonomous System Number (ASN). Blocking an entire ASN might stop bad actors.

However, it could also disrupt valid services, since criminals scatter their ops across many ASNs to stay under the radar.

BPH teams evade filters by grabbing new ASNs in days from registries and shifting IP blocks, or by rotating emails, IP addresses, nameservers, and CNAME DNS records.

This dynamic setup makes simple blocks ineffective, as leased IPs from legit providers like Big Tech clouds get “laundered” for crime.

Understanding Bulletproof Hosting Threats

BPH enables sophisticated cyber ops by providing stable, hard-to-trace bases. For instance, ransomware groups deploy encryptors via BPH-hosted download links, using fast flux to keep sites live despite reports.

Attackers also run command-and-control (C2) channels here, directing botnets to mount distributed denial-of-service (DDoS) attacks on banks or power grids.

Phishing campaigns thrive too, with fake login pages on bulletproof domains luring victims into handing over credentials. Even supply chain attacks route through these, as seen in recent malware distributions targeting enterprises.

The guide notes a surge in BPH use against high-value targets, raising risks to global systems.

Defenders must watch for outliers, such as unusual traffic spikes that mimic legitimate content delivery networks (CDNs), but allowlisting known CDNs helps avoid false positives.

Key Mitigation Strategies For Defenders

To counter this, the agencies recommend building a “high confidence” list of bad ASNs, IP ranges, and addresses using free feeds like Spamhaus DROP lists or ipapi.is abusive ASNs.

ISPs and teams should baseline regular traffic, spot anomalies, and automate list updates while sharing intel via groups like COMM-ISAC.

Central logging must track ASNs and IPs and alert on matches from the latest list. Filters go at network edges, with risk checks to choose granularity whole ASN blocks for heavy abuse, or per-IP for mixed traffic.

Audit logs track filter decisions, and change controls prevent tampering; map ASNs to IPs often, as allocations shift.

Feedback loops handle block complaints transparently and adjust based on trends. For ISPs specifically, notify users of filters, offer opt-outs, and provide ready-made blocks for customer networks.

Build “know your customer” checks, like ID verification or test emails, to block shady sign-ups.

Partner on codes of conduct, such as 90-day blocks for abusive ASNs, and enforce them via peering deals. Adopt BGP security to stop hijacks, per NIST SP 800-189.

These steps aim to make BPH less appealing, pushing criminals to monitored providers.

Resources include ACSC’s BPH report and CIRA’s DNS firewall. By acting now, ISPs can shield critical sectors from evolving threats.