FYI, I've seen this kind of mitigation in use before and if someone is bruteforcing xmlrpc, the results aren't pretty - you'll end up with all your workers occupied because each call is taking a lot longer. I'd simply no-op an increasing percentage of requests so the workers can finish a request and move onto the next etc.

Thanks for the comment/concern! I get the theory, but I must be missing something: if each attacking node (for example, let's say 50 of them) limits itself to any finite number of simultaneous connections (let's say 5), then regardless of whether you're responding really quickly or really slowly, they're still going to be occupying on average 50 * 5 = 250 workers (or any other finite number) at a time, right? The only situation where this script would cause a logjam (where there wasn't nearly one already) is where the brute force attacker is simply spawning new requests as quickly as it can, not waiting for previous requests to finish. That's no longer someone trying to log in, that's someone trying to take you down. Admittedly, this script does not help with that at all!