Bulletproof hosting (BPH) providers are a staple in adversaries’ toolkits, offering access to shared infrastructure where abuse complaints are willfully ignored. These services provide attackers with vast pools of leased IP addresses to mask their true origin, a tactic essential for launching automated attacks like credential stuffing against Identity and Access Management (IAM) systems.
The Joint Ransomware Task Force (JRTF) recently published a guide for how network defenders can manage traffic from these services. While Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers, is aimed broadly at network defenders, tracking adversary infrastructure also provides critical signals for IAM teams — specifically those prote…
Bulletproof hosting (BPH) providers are a staple in adversaries’ toolkits, offering access to shared infrastructure where abuse complaints are willfully ignored. These services provide attackers with vast pools of leased IP addresses to mask their true origin, a tactic essential for launching automated attacks like credential stuffing against Identity and Access Management (IAM) systems.
The Joint Ransomware Task Force (JRTF) recently published a guide for how network defenders can manage traffic from these services. While Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers, is aimed broadly at network defenders, tracking adversary infrastructure also provides critical signals for IAM teams — specifically those protecting customer-facing applications from fraud and abuse.
Auth0’s Unique Insight
Because Auth0 secures billions of login transactions daily across thousands of diverse global enterprises, we have a privileged view of emerging threats that smaller providers cannot achieve in isolation. We use this visibility to evaluate the historical reputation of these networks, called Autonomous Systems (ASes), based on real-world attacks against our tenants.
Auth0’s Threat Intelligence Powers Up Your Defense
Bot Detection: Auth0 bot detection incorporates network reputation as a feature input for its machine learning models. When a login or signup request arrives, Auth0 bot detection evaluates the request utilizing the historical reputation of the network it originates from. If an AS is flagged for high abuse rates — common with BPH providers — the model automatically increases the risk score for that request, which increases the probability of triggering a CAPTCHA challenge before a login or signup is even performed.
Actions and Adaptive Multi-factor Authentication (MFA): For teams that need explicit control, AS reputation signals are exposed via the Untrusted IP Assessment in Adaptive MFA. Developers can build custom logic using Auth0 Actions to specifically target traffic classified under category: abuse , category: reputation or category: anonymizer. This allows developers to create rules, like requiring step up MFA specifically for users connecting from low-reputation ASes, while reducing friction for users on more trustworthy networks.
Protect Against BFH: Secure Your Tenant With Auth0 Actions!
Customers that have bot detection already benefit from our view into the behavior of abuse-prone networks simply by enabling the feature.
Those subscribed to Adaptive MFA can leverage our Untrusted IP threat intelligence data to manage traffic from malicious networks using Actions. The confidence rating can be used to lower the risk posed by bots operating on BPH providers. Below is an example of how you can use untrusted IP to block requests from addresses that are known to host malicious traffic.
exports.onExecutePostLogin = async (event, api) => {
const untrustedIP = event.authentication?.riskAssessment?.UntrustedIP;
if (untrustedIP.code === 'found_on_deny_list' || untrustedIP.details.category === 'abuse') {
console.log('User is deemed high risk.');
//This will revoke session cookies to deny login.
api.session.revoke('Session revoked, user is from a denied IP or has bad IP reputation.');
}
};
Ultimately, reducing the bulletproof hosting provider advantage requires an intelligence-driven identity security fabric that adds a layer of protection before, during and after the login experience. Your identity security journey starts with signing up for a free Auth0 account.
These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta’s contractual assurances to its customers can be found at okta.com/agreements.