Bulletproof hosting refers to web hosting services that ignore or evade law enforcement requests. This guide explores the implications of bulletproof hosting for cybersecurity, including its role in facilitating cybercrime.
Learn about the characteristics of bulletproof hosting providers and how they operate. Understanding bulletproof hosting is essential for organizations to recognize and combat the infrastructure behind cyber threats.
For business leaders who understand the real challenges of today’s online world, it’s no surprise that there are large global networks that can provide havens for hackers and cybercriminals. However, it’s hard for many top career professionals to recognize these cybercriminal safe houses amid the flurry of websites they likely surf on a daily basis. Moreover, business professionals are likely unaware of the impact these sites have on their company’s security strategy.
To better understand cyber threats facing businesses, it’s important to know where these attacks originate.
What is Bulletproof Hosting?
Security experts use the term “bulletproof hosting sites” to refer to hosting services that are considerably lenient about the kinds of material they allow their customers to upload and distribute. One way to understand this is to contrast it with a typical ISP that is strictly regulated by a national government. Credible and legitimate hosting providers often have a laundry list of rules dictating what customers can and cannot do on the Internet. They respond to regulator challenges, and comply with national laws.
Many of the bulletproof hosting sites are starkly different. They don’t have the same scruples or the same rules. Communications from regulators might go straight into the trash can.
What this means for the security community is that companies and government offices have to guard themselves well against these shadowy networks, and the hacking agencies they host.
Why Enforcement is Difficult
Many bulletproof hosting sites are maintained in countries that aren’t subject to the same regulatory structure as the United States, making them an even greater threat. Bulletproof hosting sites are often traced back to Eastern European countries, or to operations in Russia or China, in places where government agencies are unlikely to be knocking their doors down.
Because they are located in these countries, they can be fairly insulated from legal action coming from countries like the U.S., which means U.S. companies affected by their customers won’t have much of a legal remedy.
Even where law enforcement is fairly effective, some of these bulletproof site operators can bribe officials or otherwise shield themselves from regulatory action.
Another obstacle is the use of modern tools like Tor and VPN technologies. Networks can use these kinds of tools to make themselves anonymous and less trackable over the Internet. This may also make it harder for security advocates to act against bulletproof hosts and their customers.
Enhance Your Threat Intelligence
See how the SentinelOne threat-hunting service WatchTower can surface greater insights and help you outpace attacks.
Learn MoreBulletproof Hosters at Work
Some of the big cases reported in security bulletins and authoritative online sites show the power that bulletproof hosting sites can have, and the difficulty that the security community can has in identifying, containing and controlling them.
An August post at Krebs on Security called “The Reincarnation of a Bulletproof Hoster” provides a real and disturbing example of what bulletproof hosting is and how it can work. The post discusses an interesting case where security firm Trend Micro was said to have pulled punches in naming a hosting firm called HostSailor.com, which experts have tied to Russian cyberespionage campaigns. Reports on the host’s operations (with disclaimers as to identity) show activities like spear-phishing campaigns and credential phishing activities, often directed at government agencies, and other types of seedy international activities.
Krebs on Security also details some of the investigative work that was done in this case such as WHOIS registration record investigations and domain documentation, along with a kind of back-and-forth that shows that a spokesperson for the bulletproof network in question is not backing down, but suggests that his site has the backing of powerful government agencies.
Consequences for Business
If governments can’t work to take down all of the bulletproof hosting and dark web sites that allow malware, phishing and data leaking attacks, what can businesses do?
Because cybercrime is unenforceable in so many cases, businesses have to address it within their own networks. That means taking more than just a perimeter approach to securing a network. It means a multi-segmented security campaign complete with vibrant endpoint protection and proactive threat monitoring.
SentinelOne’s next generation endpoint and server protection solution contemplates the range of threats that businesses are likely to see, and uses state-of-the-art technology to deploy network monitoring and tracking tools that will preempt a wide spectrum of cyberattacks. Our security goes beyond just antivirus and malware — using a deeper approach to network observation, these security architectures defend clients against all of those faceless attackers moving around the global Internet, and operating from places where law enforcement really can’t go.
Bulletproof Hosting FAQs
A bulletproof host is a hosting service that turns a blind eye to criminal activity. Operators rent out infrastructure for malware, phishing, and other attacks, ignoring takedown requests and abuse complaints. They’ll keep your malicious content online as long as you pay and rarely cooperate with law enforcement or security vendors.
Bulletproof hosts ignore complaints and don’t care about what’s on their servers. They’ll provide services to anyone, no questions asked. Regular hosting providers remove illegal or abusive content when notified, while bulletproof hosts keep it up, move it around, and even help attackers evade detection or shutdowns.
You should block network traffic to and from known bulletproof hosting IP ranges. Use threat intelligence feeds, firewalls, and intrusion detection systems to watch for connections to these hosts. Keep your software patched, monitor outbound connections, and don’t let your users access suspicious websites linked to bulletproof infrastructure.
Threat intelligence platforms like SentinelOne, firewalls with reputation filtering, and DNS filtering services can flag traffic to bulletproof hosts. You can use commercial threat feeds to keep your blocklists up-to-date. SentinelOne’s network monitoring and SIEM solution can also help track suspicious or malicious communications.