I'm using Sqreen (in app WAF) and Cloudflare to protect my site.<p>I've recently noticed a bot using a Russian IP address 91.241.19.84 that has tried to hack my site every day since the 8th of November (1.73k requests so far).<p>Question: is there something more than just blocking the requests that can be done?<p>Is it legal/possible to hire an ethical hacking company that can go on the offensive against these malicious actors to rack up server expenses for the hackers running the bot or some other lightweight, non-lethal deterrent?<p>There's a current trend happening with people building API phone call bots designed to flood call scam centres. Is there an equivalent of this for web bots?
I'm afraid this is pretty common on the Internet today. I recently set up my own web server and I was a little shocked to look at some of the logs (in terms of the level of malice and persistence, like hundreds of different attacks attempted by a single attacker) even though I had often heard about this phenomenon before.<p>You could try to complain about the abuse to the SWIP owner of that IP address space in whois. Note that some ISPs and countries may not care much. Perhaps this bot is already deliberately hosted in one that doesn't care.<p>Also maybe consider using something like fail2ban, a leading tool for automating some attack-bot blocking:<p><a href="https://www.fail2ban.org/wiki/index.php/Main_Page" rel="nofollow">https://www.fail2ban.org/wiki/index.php/Main_Page</a><p>Although it's a much-debated topic, I don't think that the escalation of "hack-back" is reasonable ethically or even tactically. One important problem is that you don't even know for sure that the apparent origin of the attacks is an entity that's deliberately involved at all. It could be a legitimate server (that someone relies on) that the attacker has previously compromised in order to abuse it to attack you. The main person who suffers if you succeed in a hack-back might be the legitimate operator of that server, who may also be an innocent victim (and might think of <i>you</i> as a malicious attacker for trying to disable the server!).
I've had to block Servermania's IP space due to various shenanigans. Due to the large number of IPs involved, I suspect they have a VPN service (that's being abused) as a customer. Being able to narrow it down to a single IP seems a luxury in comparison(!) and I would certainly just block it and move on for now.<p><i>"There's a current trend happening with people building API phone call bots designed to flood call scam centres. Is there an equivalent of this for web bots?"</i><p>That just sounds like a DDoS to me and not something I would advise, because it could get you into trouble.
Bad actors are a fact of life on the Internet and Russian ISPs aren't going to care about this sort of thing.<p>Cloudflare allows blocking traffic by country, just block all traffic from Russia and get on with your life.