How to delay a response in Classic ASP

I am not going to answer your specific question, as many have already done so, but there are far better ways of preventing brute force attacks.

For instance:

1. Why not lock a specific session or IP address out after say 5 (being generous here) failed login attempts? You could lock it out for say 10 minutes. You could even write a "401 Unauthorized" HTTP status and then simply end the response with Response.End.
2. In a similar fashion, but not even linked to failed logins, you could block requests for the login page more than X times in Y seconds for a specific IP, UserAgent and other client features - ensuring kind of a 'unique' client.
3. Ignore IP address (it is easily spoofed and can be a proxy server IP), and simply detect the automation of the login attempt. X number of failed logins within Y seconds for a specific username/email address, block it for that username for a set period of time, and end the response.

Just saying there are other options than putting unnecessary load on your server by locking some resources and waiting.

Obviously, doing this at the hardware layer - firewalls etc. would be the preferred option.

There is another approach, but keep in mind the aforementioned caveats about unessecarily consumed resources. Here is an approach though

Sub DelayResponse(numberOfseconds)
 Dim WshShell
 Set WshShell=Server.CreateObject("WScript.Shell")
 WshShell.Run "waitfor /T " & numberOfSecond & "SignalThatWontHappen", , True
End Sub