But I'd like to enforce a server side delay of, for example, 5
User-friendliness aside, have a look at slapo-retcode.
Probably the right points -- but we all know what's more important than
the users, let's think about *admin* friendliness. I'd like to believe
that my servers are roughly "right-sized", but that means
fractional-second response times. If I started putting even a small amount
of those connections onto 5 second sleeps, things would get very bad in
very short order. This assumes no malice, just the very-very-very regular
batch of users with typos; I'd hate to think how bad this could get under
the active attack you envision.
I suppose you could make your overlay do something heinous like drop the
connection. But never allowing err=49 (or, much worse, disclosing
information by *sometimes* err=49) seems like it would produce other forms