One of my websites is under a brute attack.

If I were to redirect failed logins to an illegal website (drugs, child pornography, terrorism support, etc...), will the feds come after me? Or will they go after the attacker?

I'm more concerned you have these places bookmarked 😏

As for your brute attack... shouldn't you have some kind of protection in place?

Can you post those sites for educational purposes?

@C0D4 @trickory
I don't need to bookmark those websites. I can bookmark Google searches and send the attacker to the search pages.

My site is secure. Even if you get past the login page, then you'll need to have a client certificate.

You risk sending legitimate users who failed a login to some very bad websites.
Also, any of those redirections are traceable to you, so now the question will be "why are you sending your users to some very shady websites?"

Best solution: implement your site in such a way that it can't be bruteforced.
Temp solution: try banning the ip addresses of the attacker(s)

@endor
You take all the fun out of it... 😕

@FuckJava sadly, that's the world we live in :(
So much cool technology ruined by idiots with bad intentions

@endor
I might provide a honey pot for people who use wrong credentials... With random credit card numbers, wrong email and physical addresses, phone numbers, etc.

@FuckJava now that's a good idea! And log all their activity too.
Wish there were no legal consequences to striking back, the web would be a much more interesting place

@endor
Yes I wish it was like Ghost in the Shell where the firewalls would electrocute attackers

Fail2Ban, yo.

@Root It's no fun if you ban them

@irene
True. I'm talking about getting back to people who are trying to break into my awesome website... It's lame to show a 403 error.

@theKarlisK
I might return a 418. I'm already behind CloudFlare.

@FuckJava so show a 200 instead 😁 only if 5 times in a row wrong creds have been enter, for the next 5 mins return 200 to that ip everywhere 😁

Or a 302 to localhost 😁

Slowing down the attacker might help, any IP which produces more than $m$ incorrect logins in $x$ time gets their responses at a speed of one byte every 10 seconds or so…

@SomeNone
You realise that clogs my resources as well, right?

@FuckJava Only the available ports. If you run low on ports, you can always just abort any slowed-down conversation. Though I agree it would probably a bit challenging to configure that correctly.

@theKarlisK
I'm using a server I wrote myself

@theKarlisK
Why is everyone taking this seriously? This brute attack is not something g I can't manage... Maybe 2000 failed attempts per second tops. I just wanted to have fun at their expense...

@theKarlisK

I thought it was obvious when I mentioned drugs, etc...

@Nanos
I'm trying to act like US of A. When soldiers from North Vietnam, or even VCs threw one rocket, US would carpet bomb them. Problem is, US lost...