But I'd like to enforce a server side delay of, for example, 5 seconds.
User-friendliness aside, have a look at slapo-retcode.
Probably the right points -- but we all know what's more important than the users, let's think about *admin* friendliness. I'd like to believe that my servers are roughly "right-sized", but that means fractional-second response times. If I started putting even a small amount of those connections onto 5 second sleeps, things would get very bad in very short order. This assumes no malice, just the very-very-very regular batch of users with typos; I'd hate to think how bad this could get under the active attack you envision.
I suppose you could make your overlay do something heinous like drop the connection. But never allowing err=49 (or, much worse, disclosing information by *sometimes* err=49) seems like it would produce other forms of pain.