I think that, if you detect a fool play, it would be more wise to block their ip for a certain period. It would be easy just adding their ip in /etc/hosts.deny
(it works for many unix daemons, but I am not sure if it works with java processes too, I think it should work since it's used by the tcp daemon itself). man 5 hosts.deny
at the command line gives some hints (or check this online link).
BTW, I think you can use Thread.sleep()
to pause a servlet, as in any normal java code. But this, would probably cause more request from the same caller to keep open for long time, increasing the active resources that the application server has to allocate and maintain. So if the attacker can work in multithread, possibly this will help him to block your server, as it will hold all the threads for his attack, blocking all other users to access your service.