Even though not all of us like Microsoft, you still shouldn't do this. The best way to handle this is to send random data at 10b/s and slow down the bots.
It'd be interesting to keep a list of the bots, and randomly redirect the traffic back at them. My first thought was that this would mess up people who unknowingly have a bot on their computer, but then I realized this might actually make them look into getting their computer fixed.
Am I missing something here, or is this actually a decent idea?
I suppose you could always redirect to 127.0.0.1. Maybe even go for a port that's likely to be open on a statistically random compromised system, like 135 (Windows DCOM, can't close it to localhost without breaking like half the system).
Edit: I just tried this in IE on my Win box; the connection even stayed open for a good long time! Firefox blocked it, though, which is probably good.
I doubt these bots can handle the redirect request. Its js and I don't see why someone would code to support it. Maybe someone better informed than me can say whether curl or wget respect redirect by default.
Just throw the request away or return a 404 at the load balancer level.
If you're on Apache use mod_security, if you're not put Varnish in front and configure it to return simple 404 errors on such pages.
But don't mod_rewrite, redirect or otherwise throw traffic onto someone else's server, let alone one that will result in a traffic cost for them.