ACSC releases new guidance on bulletproof hosting providers

The Australian Cyber Security Centre (ACSC) has released new guidance on defence against potential cybercriminal activity enabled by bulletproof hosting (BPH) providers.

Alongside international partners and led by the Cybersecurity and Infrastructure Security Agency (CISA), ACSC has released Bulletproof defense: Mitigating risks from bulletproof hosting providers, for the benefit of network defenders and internet service providers (ISPs).

A BPH provider is an internet infrastructure provider that intentionally markets and leases their infrastructure to cybercriminals. Cybercriminals are increasingly using BPH infrastructure to support cyber attacks against critical infrastructure, financial institutions and other high-value targets, making BPH providers significant facilitators of risk to the resilience and safety of critical systems and services.

Because BPH infrastructure is integrated into legitimate internet infrastructure systems, actions from ISPs or network defenders to block BPH infrastructure may impact legitimate activity. Therefore, a carefully considered and tailored approach to mitigations is required.

Cybercriminals often spread their BPH infrastructure across multiple autonomous systems to avoid detection and mitigation, ensuring that the BPH infrastructure forms only a small part of each AS. In cases where BPH providers operate leased infrastructure from legitimate providers, blocking all traffic corresponding to a particular autonomous system number (ASN) may filter out legitimate traffic.

BPH infrastructure is designed to dynamically avoid defences: BPH providers can request a new ASN from an internet registry and receive it within two to five business days and then migrate the underlying malicious IP ranges to the new ASN, enabling BPH providers to evade ASN-based defensive filtering.

Defenders can read the full publication for mitigation recommendations, which include dynamically filtering ASNs, subnets, or individual IP addresses to reduce the risk of compromise from BPH provider-enabled activity. Defenders should apply the recommendations only after weighing the associated risks and monitoring to ensure actions taken do not unduly impact legitimate infrastructure.

Image credit: iStock.com/ismagilov