Comment by imtringued

Obviously the ideal strategy is to perform a reverse timeout attack instead of blocking.

If the bots are accessing your website sequentially, then delaying a response will slow the bot down. If they are accessing your website in parallel, then delaying a response will increase memory usage on their end.

The key to this attack is to figure out the timeout the bot is using. Your server will need to slowly ramp up the delay until the connection is reset by the client, then you reduce the delay just enough to make sure you do not hit the timeout. Of course your honey pot server will have to be super lightweight and return simple redirect responses to a new resource, so that the bot is expending more resources per connection than you do, possibly all the way until the bot crashes.