The Slowloris attack is a stealthy and sophisticated type of Application Layer (Layer 7) Denial-of-Service (DoS) attack. Unlike brute-force floods, Slowloris works by exploiting how web servers handle connections, allowing a single machine to take down a server with minimal bandwidth. Let’s unpack it:

🐌 What Is a Slowloris Attack?

Slowloris is a DoS attack that targets HTTP servers by opening many connections and keeping them alive as long as possible—without ever completing them. This ties up the server’s resources, preventing it from handling legitimate requests.

🧠 How It Works

1. Connection Initiation: The attacker sends a partial HTTP request to the server.
2. Header Drip: Instead of completing the request, the attacker slowly sends additional headers—just enough to keep the connection open.
3. Resource Exhaustion: The server keeps these connections open, waiting for completion.
4. Denial of Service: Eventually, the server hits its limit for concurrent connections and can’t serve real users.

🎯 Why It’s Effective

🔥 Impact of a Slowloris Attack

• Web server becomes unresponsive or extremely slow
• Legitimate users experience timeouts or connection failures
• Server may crash if it runs out of memory or threads

🛡️ How to Mitigate Slowloris

• Use a reverse proxy like Nginx or HAProxy to buffer and manage connections.
• Set connection timeouts to close idle or incomplete requests quickly.
• Limit concurrent connections per IP to prevent abuse.
• Deploy web application firewalls (WAFs) with Slowloris detection.
• Enable HTTP keep-alive limits and header size restrictions.

🧪 Real-World Analogy

Imagine a restaurant where customers must place their full order before being served. Now imagine one person walks in and starts ordering… very… slowly… pausing between each word. If enough people do this, the kitchen gets backed up and no one else can order. That’s Slowloris in action.