Bulletproof Hosting (BPH) Taxonomy

Introduction

NETSCOUT's ASERT researchers began investigating Bulletproof Hosting (BPH) providers in early 2023 as a significant number of our customers experienced high-volume scans, attack traffic, and intrusion attempts from multiple well-known BPH providers. We revealed initial findings on two such providers in our 1H 2023 Threat Intelligence Report where we assessed malicious attack traffic flowing to and from their services. We also described two different types of services and the expected behavior from each. In the coming months, we will publish another article to further measure and analyze the attack behavior of these services. The purposes of this blog is to outline what these services are and how ASERT classifies them.

BPH has been a mainstay of adversaries for over a decade. They have gone through many iterations and been called various names over the years. The phrase Bulletproof hosting suggests technical sophistication, infrastructure resiliency, and a platform with elaborate redundancy. However, for the internet security community its connotation is rarely flattering. BPH typically refers to a service provider that is unresponsive to complaints and ignores requests to curb certain types of activity that may be harmful if not illegal.

"...unlike other hosting providers, bulletproof hosting companies do not act on abuse reports." - Spamhaus

"Bulletproof hosting (BPH) is technical infrastructure service provided by an Internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cyberattacks." - Wikipedia

"[Bulletproof Host] Providers often offer customer support by sharing early notifications of abuse requests and even automatically moving servers to another IP space." - Trend Micro

These descriptions all convey an overall sense of “badness”.  However, while the term Bulletproof Host has often been attributed to inarguably bad actors, some within the information security community have at times affixed the label to numerous providers, blurring the lines between intentionally malicious actors and unwitting accomplices.

The language used by hosting providers may offer clues.  We frequently see a number of telltale signs not only where providers advertise, but the language they use.  For example, a reliance on cryptocurrency or using phrases such as “offshore hosting” and “anonymous hosting” may raise suspicions.  The infrastructure is often transient or difficult to map.  

ASERT BPH Classification

We classify BPH providers into three types as follows:

• Malicious: Practically no legitimate or lawful activity.
• Abusive: Significantly uncooperative, unresponsive, or unwanted activity.
• Controversial: Legal, but often condemned for unwanted material or activity.

Malicious BPH providers are relatively rare. They are widely viewed as criminal, although they often feign innocence. They exhibit repeated and ongoing patterns of malicious activity. They are amongst the most resistant to inquiries, reports, or complaints. The people and services are often located in jurisdictions often known for inadequate, underdeveloped, or even corrupt legal systems.  Contact information, if provided, is often anonymized or elusive.

An Abusive BPH provider is one known to host significant amounts of content or originates significant amounts of traffic often considered problematic or harmful. They may originate legitimate content and traffic but are typically home to a disproportionate amount of abusive activity. They may not operate with criminal intent, but may be severely lacking in staff, procedures, or capability to minimize abusive activity.

A Controversial BPH provider is one that may permit a wide range of activity that many find objectionable, such as political extremist material, extreme graphic material, or even the unauthorized hosting of copyright material.

The distinction between the Controversial BPH provider and others, is that a controversial BPH provider does not generally “push” content (such as exploits and spam) or traffic (scans) to unwitting recipients, but rather simply makes it available for others to “pull”, similar to a content hosting provider.

Occasionally, legitimate hosting providers are categorized as BPH providers, but usually on a temporary basis or due to automated processes that measure BPH providers from certain perspectives. For example, we may not wish to permanently penalize providers that host or generate traffic of the following types:

• Unnecessary: Legal, responsive, and generally not controversial, but essentially “noise”. e.g., Well-known research networks or organizations performing network measurement or monitoring.
• Exploited: Practically any popular or low-cost hosting provider is susceptible to attracting “undesirable” customers. Malicious, abusive, or controversial content may appear on various hosting networks, and some more than others, but generally these hosting providers are legitimate and responsive if not overburdened.

Conclusion

The distinction of between these different types of groups (classifications) are not always clear, especially to outsiders, but they can be evaluated by provider intent, responsiveness, track record, transparency, and actions.  Only after careful analysis can the nuances of activity and response lead to an accurate classification and mitigation of threats.  Once we have a clearer understanding of BPH providers we can then better identify differentiate between sustained threats and transient incidents.  A more nuanced understanding of BPH providers can help improve our mitigation tactics when we know who is simply unresponsive and who is inherently untrustworthy.  In our next BPH article we will explore and observe the real-world effects of malicious and abusive BPH provider traffic.