[SideburnsOfDoom]

The only problem that I can see is that "overwhelming a bad actor with bogus responses" is a subset of "overwhelming an actor with bogus responses". If this automated technique gets pointed at a legitimate business through error, malice or trickery (as per http://en.wikipedia.org/wiki/Swatting ) then that would be rather bad.

[bediger4000]

I agree. But it takes a large number of individual web site administrators to get upset enough to configure HTTP servers to send bogus responses to overwhelm. That's the idea's greatest problem, and the factor that keeps the idea from being employed on legit businesses.

In the case of web servers, the bad actors like Ahrefs often ask for things vaguely like known security problems - issues in PHP based BBS for example. Ahrefs asks for something and they get some data back. Is it my fault that they don't get back data with the exact semantics they wanted? No, as I am not a magician.