反击黑客行为应该合法化吗？

反击黑客行为应该合法化吗？
Should hack-back be legal?

原始链接: https://speculumx.at/blogpost/should-hack-back-be-legal

针对`.env`和`.git`等敏感文件的自动化扫描是常见的服务器安全问题。一种诱人的反制措施——提供大量垃圾数据填充的这些文件以浪费攻击者的资源——在法律上存在问题。美国、德国和奥地利的法律普遍禁止故意干扰*任何*计算机系统，即使是正在攻击你的系统；“他们先动手的”辩护不适用。这类似于设置陷阱，可能面临刑事处罚。虽然“拖延战术”（严重降低连接速度）在法律上是一种更安全的选择，但它对复杂的分布式扫描越来越无效。更强大的防御需要分层方法：速率限制、地理封锁、WAF和威胁情报。一个关键问题是法律框架的不对称性。合法的网络爬虫不会扫描`.env`文件，但当前的法律没有区分，阻碍了主动防御。探索一种细化的法律标准，允许对*特定恶意*扫描做出相称的回应，可以将优势恢复给防御者，但这仍然是一个未解决的挑战。

一场 Hacker News 的讨论围绕着“反击”的合法性——主动攻击允许广泛欺诈的国家。一位用户认为，对于像老挝这样的国家，欺诈行为占其 GDP 的很大一部分，这种行为是合理的，将其定义为对现有攻击的回应中的数字私掠行为。然而，评论员指出其中的复杂性。一些国家*允许*这种活动，因为其腐败政府与有组织犯罪和战略联盟有关（例如中国与柬埔寨和老挝的关系）。另一些人强调了潜在的滥用可能性，认为个人可能会利用被入侵的系统作为代理来掩盖自己的行动，从而使归因变得困难。最终，这场对话承认了数字领域中自卫行为的固有问题，以及即使在法律允许的情况下，追求此类行动的实际挑战。

原文

Browsing through server logs and fail2ban notifications is routine work. A significant portion of incoming requests are automated probes targeting .env and .git files: endpoints that, if exposed, would reveal database credentials, API keys, and internal configuration data.

At some point, the thought occurred to me: what if I played along? Serve a convincing .env or .git file, but pad it with a terabyte or more of junk data and let the scanner process that. After a bit of research, it became clear that the law sees things differently.

The Legal Reality of Hack-Back

In most jurisdictions, intentionally disrupting or damaging a third-party computer system is illegal, regardless of what that system was doing to yours first. Relevant statutes include:

§ 303b StGB (Germany) and § 126b StGB (Austria): Both prohibit intentional disruption of computer systems, with penalties ranging up to several years imprisonment.
Computer Fraud and Abuse Act (CFAA, USA): Prohibits the intentional transmission of data that causes damage to a protected computer, a definition broad enough to cover virtually any internet-connected system, regardless of geography.

The core principle across all three: the law protects systems, not their operators' intentions. The moment a defensive measure extends beyond protecting your own infrastructure and begins impairing someone else's system, you become liable, even if that system was actively probing yours.

The "they started it" defense doesn't hold. Legally, it's comparable to a booby trap: deliberate, premeditated, and designed to cause harm to whoever triggers it. Courts have consistently found that provoking a harmful automated response does not transfer culpability to the party that triggered it.

Attribution complicates this further. Many malicious scans originate from compromised third-party systems, botnets running on servers or devices whose legitimate owners have no knowledge of the activity. A terabyte-sized trap would not harm the attacker; it would harm an innocent victim's infrastructure. That said, there is at least one unintended benefit: the download attempt would likely alert the compromised system's owner that something is wrong. The law accounts for the broader risk, which is part of why it is written so broadly.

Tarpitting and Its Limits

The legally sanctioned alternative most often recommended is tarpitting: deliberately throttling a connection to an extreme degree, say one byte per second, so the scanner's thread or socket remains occupied indefinitely without receiving anything useful. The scanner waits, consumes its own resources, and eventually times out.

Tarpitting works well against naive, high-volume bots, but several attack patterns reduce or eliminate its effectiveness. Distributed botnet scans rotate across thousands of IPs, so neutralizing one node has no meaningful impact on the operation as a whole. Many modern scanners are configured with aggressive timeouts and simply abandon slow connections within seconds. A persistent attacker who gets blocked will switch to new IP ranges and resume, making reactive banning inherently one step behind. Scanners that replicate legitimate browser headers or rotate user agents are also difficult to distinguish from genuine traffic, which limits how aggressively any single countermeasure can be applied.

These limitations point toward a layered approach rather than reliance on any single technique. Rate limiting at the network level (not just per IP), geo-blocking for regions with no legitimate user base, JS challenges or CAPTCHAs on sensitive endpoints, Web Application Firewalls (WAF) with scanner fingerprint detection, and proactive threat intelligence feeds for blocking known malicious ASNs collectively address the gaps that tarpitting and IP banning leave open. None of these measures eliminate the underlying problem, but in combination they raise the cost and complexity of sustained scanning significantly.

An Unresolved Legal Question

The current legal framework has a structural asymmetry worth examining. Legitimate use cases, including security research, web archiving, and search engine crawling, can be distinguished from credential scanning by scope and target: no valid automated process needs to probe arbitrary third-party servers for .env or .git files. A legal framework that defined this class of request precisely could, in principle, permit server operators to apply more assertive technical responses without exposing themselves to liability, while still protecting legitimate scanners and innocent compromised systems from indiscriminate countermeasures.

The question I find myself returning to is whether a more nuanced legal framework, one that permits narrowly scoped, proportionate technical responses under defined conditions, would meaningfully improve this situation. Some jurisdictions are beginning to explore active cyber defense provisions, though none have yet arrived at a workable standard. Until then, the structural advantages remain with the attacker: low cost, easy infrastructure rotation, and minimal accountability, while defenders are legally constrained to passive measures that address symptoms rather than causes.