Comment by shakna

Self-defence is not normally an acceptable reason where technology and law collide.

Let's be frank.

He's serving up malware to potential users who hit too many 404s.

> Awesome! My production implementation of the bomb also looks at 404's and 403's per IP and if there are too many of those it will send the bomb. [0]

This could be exploited by a third party, which makes him complicit.

He targets IP addresses, and as the IPv4 world often shares those, he can attack innocent bystanders who happen to be in the same allocation as a miscreant.

Finally, self-defence is established as denial or dropped connections. As he's intentionally avoided established practice, and developed an attack instead, it becomes undue harm.

Let alone if he attacks someone in a nation that has an extradition treaty, but no concept of this sort of "fighting back".

[0] https://www.reddit.com/r/PHP/comments/6lfl6p/i_have_created_...