Slowloris, created by security researcher RSnake in 2009, is one of the most elegant and devastating DDoS tools ever written. It doesn't send massive traffic volumes. It doesn't require a botnet. A single machine with a moderate internet connection can take down an Apache server entirely.
The Attack Mechanism
Slowloris opens as many connections to the target server as possible and sends partial HTTP request headers. It periodically sends additional header lines — but never completes the request. The server keeps each connection alive waiting for the full request. Apache's default MaxClients (typically 256 concurrent connections) fills up with Slowloris connections — all waiting. New legitimate connections are refused.
Why It's Hard to Detect
Each individual Slowloris connection is entirely valid. It's establishing a real TCP connection, sending real HTTP headers. There's no spoofing, no flood, no amplification. Standard network-level DDoS detection won't trigger. Traffic volumes look normal. Only behavioral analysis — noting that thousands of connections are hanging in the same state — reveals the attack.
Mitigation
- Nginx and HAProxy handle Slowloris much better than Apache due to their event-driven architecture.
- Set aggressive timeout values: close connections that haven't completed headers in 5 seconds.
- Limit maximum connections per IP.
- Akarguard's proxy terminates HTTP at the edge — Slowloris connections exhaust proxy connection limits (which are designed for this), never reaching your origin.