Comment by tetha

As scary as it can be, but yes. It's similar to strategy games at a point - sometimes it's better to let the enemy push you around for a bit as long as nothing important is damaged. I don't really care if I have to scale up the LBs a bit to handle all of the requests for some time. However, this allows your attacker to commit more of their resources, so you can block and ban more once you react or so you can learn more about their behavior, so you can mislead, slow-lorry and generally mess with them more effectively.

There have also been funny defcon-talks about messing with attackers about this, by returning all kinds of messed up return codes, slow-lorry'ing the bot, ... I'm kind of wondering if you could SSRF (or rather, CSRF) a bot like this by returning a redirect to e.g. the AWS metadata API... could be a fun topic to mess with.