Open Question to Legal Analysts

1. Open question to computer security law experts:
2.  
3. What does U.S. law say about defensive hacking? For example, if someone keeps trying to hack into a website that I'm in charge of securing using an outdated web browser, what does the law say about hypothetically exploiting their browser to send their true non-proxy-protected IP address to another location? (For example: send a bunch of HTTP requests to ic3.gov /?I-attempted-to-hack-domain.com-on-(timestamp) without going through SOCKS or HTTP proxies).
4.  
5. The reason I've thought of this is as follows:
6. 1. If the malicious hackers' IP address and time are exposed, they will get arrested.
7. 2. If they're using a remote desktop or similar service through a hacked computer to perform their attacks, then the person they infected can be traced back and have their computer fixed (or taken offline) to prevent further damage.
8. 3. In either of the above cases, there will be less annoying script-kiddie cybercrime.
9.  
10. I'm interested in hearing what the law says and allows about this.