In this advisory concerning the oracle padding exploit, Microsoft posted the following recommended error page:
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<div>
An error occurred while processing your request.
</div>
</body>
</html>
What's with the Thread.Sleep for some value between 0-255? I don't want my server threads tied up for up to quarter of a second.
The reason is to alter the timing of the result. By making the return take a variable amount of time, you can't use the timing of the error return to determine the reason for failure, which is the approach that is used for the attack