What Is Bulletproof Hosting?

How Bulletproof Operations Work

A bulletproof provider may run their own ASN and IP space, or — more commonly — resell space leased from upstream networks that don't ask questions. Customers pay a premium (sometimes 5-10× regular hosting) for the assurance that abuse reports won't lead to takedowns within hours.

Common Tactics Used by Operators

• Operating in jurisdictions known for slow legal cooperation.
• Routing through multiple shell companies to obscure ownership.
• Frequent re-allocation of IP ranges and re-routing of prefixes.
• Mixing legitimate customers with abusive ones to make blanket blocking expensive.
• Offering DDoS protection, anonymous payment, and operational secrecy as features.

How Defenders Detect Bulletproof ASNs

No ASN advertises itself as bulletproof on a public website. Defenders infer it from behavior:

• Disproportionate concentration of threat-feed listings.
• Long takedown times for confirmed-malicious hostnames.
• BGP routing instability — frequent prefix flapping or hops between upstreams.
• Customer overlap — the same registrant emails or hosting profiles recur across malicious domains.
• Abuse contact emails that bounce or never respond.

The Limits of ASN Reputation

ASN reputation is a useful prior, not a verdict. Even bulletproof networks host some legitimate customers; even reputable networks occasionally host malicious content. Reputation works best when combined with ground-truth signal on the specific hostnames or IPs in question.

Bulletproof Hosting in Whisper

Whisper scores ASNs based on the actual behavior of the prefixes they announce — concentrations of malicious hostnames, threat-feed presence, takedown latency, hosting churn. Analysts query the graph for "ASNs hosting more than X% of currently-flagged C2 domains" and the answer is one Cypher query.