[Slade1]

If you're aware that someone is doing penetration tests on your system, but their probing isn't significantly costing you resources, wouldn't you instead just give some generic response to not clue them into you knowing their intention? There's a lot of people who basically do that with scam callers by just leading them on and wasting the scammers time.

[LinuxBender]

I used to do something along this line. If I saw a bot then I would use ACL's in haproxy to serve up some static pages from memory that contained strings their request was looking for. This of course attracted more bots. It didn't cost me anything aside from making my logs a bit more noisy, so I disabled logging for the bots. Then I found a funny side effect of shodan showing my nodes being vulnerable to many things. That was a blemish so I disabled the ACL's. In hind-sight and knowing how bot farms work it wasn't really wasting anyone's time or resources but was a fun little learning exercise.

[verdverm]

I wonder if zip bomb like responses will still work for the majority of bots

https://blog.haschek.at/post/f2fda

[LinuxBender]

Maybe sometimes, but you would just be the reason some random person said "Dammit my machine blue screened again." or "Why is my machine using so much ram?" The C2 machines would detect this node offline and use a different one. On the plus side, maybe a percentage of those people would re-image their machines and patch them.

[hyperman1]

Send them redirects to a russian governemental site. They'll take care of it

[arthurcolle]

This could be seen as abuse by the .ru and .su folks

[WesolyKubeczek]

Those folks have been actively abusing international laws, sponsoring cybercrime, and responding with “so what?”

That’s what. Deal with it. Build your enclosed cheburashka internets or whatever. I couldn’t care less about hurting their feelings.

[Waterluvian]

Redirect to a honeypot as a service that utterly wastes someone’s time.

[t0mas88]

You could but it's extra work to build that into the application while you could use a generic off the shelf WAF / IDS type solution that just blocks them. Won't fully stop a targeted manual attack but it is enough to make bots move on to their next target. And it slows down any manual reconnaissance work.

[saurik]

Blocking someone is still more generic than returning a specific HTTP response code specifically designed to inform the other party of your suspicion.