D-Link attempted to provide some protection against brute-force by delaying the response for three seconds on a bad login. The problem was that the delay only happened on a bad login meaning, so there was a clear timing difference between a good and bad login attempt. It was also only delaying the one connection, so reconnecting once you knew it was bad and trying again worked to bypass the defense.