Anything that uses regular expressions (particularly the RegularExpressionValidator). To see this, run a RegularExpressionValidator with the regex ^(\d+)+$ and give it 30 digits and an alpha character to validate against.
Some posts:
- http://msdn.microsoft.com/en-us/magazine/ff646973.aspx
This is called a Regular Expression Denial of Service attack and it can bring a website to its knees.