Slowloris Attack: How it Works, Identify and Prevent

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Slowloris DDoS attack

What is the Slowloris Attack?

The Slowloris attack is a specific kind of Denial-of-Service (DoS) attack that targets web servers to disrupt their usual work and make them inaccessible to legitimate users.

The term Slowloris is a reference to a slow-moving animal that carries out this particular attack by exploiting the fundamental restriction inherent in the way the HTTP connections are handled by web servers.

The Slowloris attack idea was first described and performed by RSnake, a well-known security researcher who was also the CEO of SecTheory at the time, in 2009. Snake came up with Slow Loris as a proof-of-the-concept method that would demonstrate a new system of carrying out Denial-of-Service (DoS) attacks on web servers.

Sharp contrast was marked when Slowloris was initially introduced as a different kind of Dos technique that was not common then, but rather, it involved flooding the target server with a large number of requests.

On the other hand, Slowloris was designed to take advantage of problems related to the web server software’s performance in managing concurrent connections.

These attacks differed from traditional DoS attacks that launched a high-traffic flood at the server. However, Slowloris attacks are more stealthy, they use the servers simultaneous requests processing mechanism to attack it.

It utilizes the technique of developing multiple connections to the server target but sending HTTP headers extremely slowly. By slowing down the header transmission, the attacker may keep the suitable connections open for long intervals and utilize scarcely any bandwidth.

How does it Work?

To understand how Slowloris works, let’s delve into the typical lifecycle of an HTTP connection:

  • Connection Establishment: A slowloris attack is carried out in a way that invokes multiple simultaneous connections to the target web server. These connections can be the result of a single attacked machine or the entire system that can accommodate many computers, which depends on the level of the attack.
  • Server Processing: Once he gets the request, the server processes the details and answers back with the requested content (e.g., web page, image, or file).
  • Connection Closure: Thereafter, the server sends the response, the client’s connection is closed, and the content they require is retrieved.

Slowloris disrupts this process by starting plenty of connections to the target server at the time when only HTTP headers are sent at a slow pace. The intruder does not send out complete requests now, he sends part of the HTTP headers in small bits so that they remain open as long as possible with each connection.

This following effect can be explained through pinning down the activities of those resources like thread pools, memory and network connections. As the server absorbs the demand of its limited supply gradually, it will come to a point where it cannot even bear requests from authentic users.

Consequently, the end-users of the targeted website have either total loss of service or experience slow response time which denotes any legitimate visitor.

As such, Slowloris mechanics are focused on overloading the server, the way it consumes incoming connections and constantly bombarding it with partial HTTP requests. As these connections take too long to establish, the server consumes the exiguous resources for legitimate users.

Signs to Identify the Slowloris Attack

Distinguishing a Slowloris attack should be recognized as one of the important measures that need to be taken quickly to reduce its negative effects on the availability and performance of a web server.

Slowloris Attacks are being executed with stealth and deception hence these cannot be detected easily by the normal security procedures.

Nonetheless, some distinctive features and indicators can always help web servers to detect the presence of Slowloris attack. Let’s explore these signs in detail:

1. Gradual Degradation in Performance

With any continuing Slowloris assault, there is a clear decrease in the performance of the affected web server among the key indicators of a Slowloris attack. In the initial phase, the server may be able to respond to the requests for legitimate users at a normal speed.

In the beginning, this is hardly perceivable but as the attack continues and the number of open connections rises; the server’s speed drops and eventually becomes sluggish.

Users can experience problems with the web pages’ loading (lags or frequency of the same), slow page load times, and timeouts while trying to interact with the server software.

2. Abnormal Traffic Patterns

Consequently, Slowloris DDoS (Distributed Denial of Service) Attacks tend to use traffic signals that are different from those usually encountered during active user activity.

Recommended: 7 Largest DDoS Attacks in the History

The network flow may be monitored by using special tools or intrusion detection systems(IDS), and the unusual activities that look like the SlowLoris attack will be detected.

This could be demonstrated through the growing number of established connections to the main server, the increased duration of such connections, or a higher number of long-term requests with delayed transmission velocity.

3. Long-Duration Connections

In the case of usual HTTP links, which time is only short and transient, links last for a pretty long time. Slowloris’s approach here is through partial HTTP requests that are sent at a dangerously slow speed, which eventually prevents easy server overloading and hence leaves it exposed to several attacks.

Specific tools might reveal the fact that there is expanded connectivity whose duration is too long, which usually reflects minimal traffic transmission.

4. Server Error Responses

The nature of Slowloris’s attack is such that it leads to the server’s resources being overstressed. This, consequently, causes a wave of error responses to come back to the requests sent by legitimate users who try to access the site web.

Sometimes, the error responses are given as HTTP 503 Service Unavailable and HTTP 408 Request Timeout. Such reception messages suppose that the server does not have the ability to manage incoming requests because of a slow loris attack, which is, in turn, caused by server resource exhaustion.

5. Unusually High Resource Utilization

Their flow of requests in Nordicels assault shares resources, including CPU cycles, memory, and network bandwidth, just to keep vast quantities of connections open.

The monitoring task can be managed by administrators through systems monitoring tools or performance monitoring solutions which are able to record server utilization metrics.

A remarkably elevated level of resources, particularly if they are exploited during periods when user activity is low, may signal that the slowloris attack is in effect.

6. Suspicious Access Patterns in Logs

Seeing server access log is most likely to indicate the type of incoming requests and slowloris pattern of attack as well as can reveal suspicious access patterns.

Administrators may observe, inter alia, recurring partial HTTP requests, new connections occurring from a single or the same addresses, and those used for requests remaining inactive for longer. The Access Log records are analyzed in synchrony with other probability indicators to assist in striking a Slowloris attack.

How to Protect your Website from Slowloris Attack?

Detection of the Slowloris attack should be addressed in its entirety and does not overlook the website’s server configuration security or network infrastructure vulnerabilities, which serve as its stops.

The slowloris attack targets HTTP servers that fail to address the issue of spoofed connections, as well as the implementation of timeouts for idle connections, which results in overwhelming servers and shutting other users off.

Here’s a detailed guide on how to protect your website from Slowloris attacks:

1. Implement Rate Limiting

On the server level, configure the web server to impose a rate limit on the number of simultaneous connections or HTTP requests originating from a single IP address. The rate limiting protects from temporary overload or failure of a server due to one client making an enormous amount of connections.

It prevents partial denial of service called ‘slowloris attack’. The application of the mod_evasive for Apache or the ngx_ http_limit_req_module for Nginx rate limiting module is possible.

2. Optimize Server Configuration

Configure the server parameters settings to be fine-tuned to utilize the resources as much as possible and to make the server resilient to Slowloris attacks.

Adjust the parameters like connection timeouts, number of simultaneous connections kept, and Keep-Alive timeouts. Automatize the connecting and requests with an optimal server software configuration for effective management of.

3. Use Load Balancers and Reverse Proxies

Employ load balancers or reverse proxies in front of web servers to distribute the incoming web traffic to the multiple backend servers that are available in the network so that they can balance the workload smoothly.

Load balancers can ward off and mitigate the Slowloris attacks by sensibly spreading the incoming requests as well as the connections, terminating those originating from the malicious backends.

Make sure that balancers of the load are currently correct and that they have the necessary security attributes to identify and promptly prevent such attacks.

4. Enable Keep-Alive Timeouts

Establish Keep-Alive idling time on the webserver to terminate an instance of connection that has been initiated and not used for the allocated period.

To begin with, the server can fine-tune Keep-Alive timeouts so as to gain control over those resources that are being kept busy by the inactive connections; as a result, there will be a lower risk of resource exhaustion, which might be related to a Slowloris attack.

Set Keep Alive Timeout values to be neither low nor high enough so that resources are maximally used and user experience is satisfying.

5. Deploy Web Application Firewalls (WAF)

Develop a WAF that can possibly block the malicious traffic behaviors that are typically linked to a Slowloris attack.

WAFs execute algorithms over the traffic requests in real-time using security rules as well as heuristics to deal with malicious requests and prevent them from becoming HTTP requests to the web server.

Configure WAF to watch out for weighish behavior and kick off maliciously incoming connections preemptively.

6. Monitor Server Resources

Keep an eye on the server resource metrics, including CPU load, memory usage, and network throughput, and this will clue in on the potential of resource drain, which is suggestive of a Slowloris attack.

Automate monitoring and instant notification of administrators in the case of detection of inappropriate resource utilization, which can be arranged into one circuit. Establish criteria for resource metrics utilization and send out notifications if the thresholds are exceeded.

7. Update and Patch Software

Due to the growing number of cyber-attacks, make sure that you update your web server software, the operating system, and other dependencies with security patches and updates to boost your cyber security. Attackers manipulate server software weaknesses in order to permit Slowloris attacks.

Thus, it is important to apply the software updates because they may defeat the purpose of their implementation and increase risks. Maintaining an update schedule will allow for quick and timely installation of security updates.

8. Implement Network-Level Protections

Using the network defense tools IPS and DDoS Mitigation services at the network level is advisable for detecting and preventing attacks coming to the web server via web applications.

Such measures will alert and mitigate these attacks at the network level, before they attack infrastructure pointing to the server.

Collaborate with your network security team or provider In order to fine-tune the IPS and DDoS mitigation systems and prevent Slowloris attacks from exceeding their ability to effectively deal with them.

9. Educate Web Developers and Administrators

Offer training and mentorship to the web developers and system administrators on the best practices for the security of the web servers in Slowloris attacks.

Conduct security awareness training, which will include understanding threats, approaches used in cyberattacks, and proactive security measures for all employees to create a security-aware workforce.

Collude periodical security training sessions and workshops providing a clear understanding of roles and responsibilities related to website protection against the Slowloris attacks for all the stakeholders.

10. Regular Security Audits and Penetration Testing

Regular security audits and penetration tests are conducted to identify access vulnerabilities and weak points in the web environment infrastructure.

Enlist the cyber security consultants or experts to carry out a security audit of the site and take note of those loopholes in the system that attackers of Slowloris could abuse.

Be guided by threats and vulnerabilities that will be brought to light by security audits and penetration tests to determine mitigation effort prioritization and consequently improve the level of the website security.


Defending your website from Slowloris attacks needs a multifaceted and vigilant cycle. This reduction of the extent of downtime can be achieved via the use of a mix of preventive measures as well as responsive techniques that protect responsible users.

Implementing the Keep-Alive timeouts, installing a web application firewall (WAF), and server resources monitoring are among the remarkable steps in the detection and prevention of Slowloris attacks.

A continuous process of updating software and dependencies with the latest security patches, educating web developers and administrators on what the best practices are, and conducting regular security audits and penetration testing will be the key elements in developing our robust environment’s protection against ever-changing threats.

Through these proactive actions and vigilance, every website will be well prepared against the slow loris attacks, and therefore, your online services will be available and reliable.

Contact the highly skilled and professional Cyber Security Experts for all your website security.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.