A BPH provider is an internet infrastructure provider that knowingly leases infrastructure to cybercriminals. These providers enable malicious activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks, posing an imminent and significant risk to the resilience and safety of critical systems and services. The guide provides recommendations to reduce the effectiveness of BPH infrastructure while minimizing disruptions to legitimate activity.
Key Recommendations for ISPs and Network Defenders:
- Curate malicious resource lists: Use threat intelligence feeds and sharing channels to build lists of malicious resources.
- Implement filters: Apply filters to block malicious traffic while avoiding disruptions to legitimate activity.
- Analyze traffic: Monitor network traffic to identify anomalies and supplement malicious resource lists.
- Use logging systems: Record Autonomous System Numbers (ASNs) and IP addresses, issue alerts for malicious activity, and keep logs updated.
- Share intelligence: Collaborate with public and private entities to strengthen cybersecurity defenses.
Additional Recommendations for ISPs:
- Notify customers: Inform customers about malicious resource lists and filters, with opt-out options.
- Provide filters: Offer premade filters for customers to apply in their networks.
- Set accountability standards: Work with other ISPs to create codes of conduct for BPH abuse prevention.
- Vet customers: Collect and verify customer information to prevent BPH providers from leasing ISP infrastructure.
CISA and its partners urge ISPs and network defenders to implement these recommendations to mitigate risks posed by BPH providers. By reducing the effectiveness of BPH infrastructure, defenders can force cybercriminals to rely on legitimate providers that comply with legal processes. For more information, visit the full guide.
https://www.cisa.gov/news-events/alerts/2025/11/19/cisa-releases-guide-mitigate-risks-bulletproof-hosting-providers