A Slowloris attack is a type of denial-of-service (DoS) attack that disrupts websites by opening and holding many connections to a web server. Unlike traditional DoS attacks that flood a server with traffic, a Slowloris is quiet and efficient. It uses minimal bandwidth but can still bring a website to a standstill. This makes it especially dangerous and difficult to detect.
What Is a Slowloris Attack?
A Slowloris attack works by sending incomplete HTTP requests to a server and keeping those connections open for as long as possible. The attacker sends just enough data to prevent the server from closing the connection, but never finishes the request. As the server waits for the rest of the data, it keeps the connection alive.
The attacker repeats this process many times, eventually filling up all available connection slots. When that happens, legitimate users can’t get through because the server is too busy waiting on these fake, half-completed requests.
Why Is It So Effective?
The power of a Slowloris attack lies in its stealth. Since it doesn’t rely on high traffic volumes, it doesn’t raise red flags in basic monitoring systems. It can be launched from a single device and still take down a server if protections are not in place.
Slowloris specifically targets the way web servers handle connections. Many servers are designed to be patient and wait for slow clients, which is normally a good thing. But this patience is exactly what this attack exploits.
Signs of a Slowloris Attack
Recognizing the attack can be tricky, but some signs are:
- A large number of open but idle connections
- High memory usage on the server despite low traffic
- Users reporting long load times or error messages
- A server that becomes slow or unresponsive without a spike in bandwidth
How to Prevent a Slowloris Attack
The good news is that you can take steps to defend against this type of attack, even with limited technical experience.
- Set Strict Timeouts: Configure your web server to close connections that take too long to complete. Shorter timeouts make it harder for Slowloris to keep connections open.
- Limit Simultaneous Connections: Set a maximum number of connections allowed per IP address. This limits the attacker’s ability to overload your server.
- Filter Incomplete Requests: Use firewall rules or software filters to detect and drop connections that are sending incomplete requests too slowly.
- Monitor Connection Behavior: Keep an eye on your server’s connection logs. Look for patterns like many slow connections from a single IP or from a small group of IPs.
- Use Front-End Gatekeepers: Placing a layer in front of your server to handle incoming requests can help absorb and deflect attacks. These systems often have built-in protections for common threats like Slowloris.
- Regular Maintenance: Keep your systems and configurations up to date. Security patches often include improvements that help mitigate attacks like this.
Conclusion
A Slowloris attack is subtle but can be incredibly disruptive. By tying up server resources with slow, incomplete connections, it blocks real users from accessing your site. However, with the right server settings and monitoring practices, you can greatly reduce your risk. Understanding how this attack works is the first step to stopping it before it causes real damage.