I cannot figure out, how can a random, small sleep delay can be a solution to prevent an attacker from probing our site.
This is his code snippet:
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<div>
An error occurred while processing your request.
</div>
</body>
</html>
This is to prevent people constantly triggering your error page and exploiting the recent ASP.NET vulnerability. They need a large number of failures to take advantage of this exploit.
The sleep delay will not ‘prevent’ access to your page. Think of it as being analogous to brute forcing a password; if you have to wait 5 seconds between guesses instead of 5ms, you will take a little more time to find the pw.