The Rise of SlowDoS: Detecting & Mitigating Stealthy Service Disruption

SlowDoS: Understanding the Low-and-Slow Cyberattack That Evades Detection

What it is

A SlowDoS (low-and-slow DoS) attack exhausts server resources not by volume but by keeping many legitimate-looking connections open or sending requests extremely slowly. It targets application- or thread-based resources (HTTP/TCP/TLS), tying up connection slots, threads, or memory so legitimate users are denied service.

Common techniques & tools

• Slowloris: Sends partial HTTP headers slowly so the server keeps the connection open.
• R.U.D.Y. (R U Dead Yet?): Sends POST bodies one byte at a time, forcing the server to wait.
• Sockstress / slow TCP attacks: Exploit TCP handshake or keep connections in half-open/long-lived states.
• Attacks can be launched from a single machine or small botnets and work against both plaintext and TLS-encrypted services.

Why it evades detection

• Traffic looks like normal, low-rate application traffic, so volumetric DDoS detectors and simple rate thresholds don’t trigger.
• Minimal bandwidth required; attackers can adapt rate to stay below defenses.
• Affects stateful/thread-limited servers (e.g., Apache prefork, some application stacks).

Indicators of an attack

• Large number of long-lived connections with little data transfer.
• Elevated connection counts, thread/worker exhaustion, slow response times for normally fast operations.
• Many incomplete HTTP requests or clients that send data at abnormally low byte rates.
• Resource usage (CPU, memory) rises disproportionately to traffic volume.

Detection strategies

• Behavioral baselining: monitor normal connection durations, request inter-arrival times, and compare for anomalies.
• Track per-connection throughput and flag connections below a minimum expected rate or with excessive idle intervals.
• Monitor application thread and connection-table exhaustion metrics.
• Use deep packet/flow inspection that examines handshake-to-request timing (works for TLS by analyzing TCP/TLS record timing).
• Employ IDS/flow tools and datasets tuned for low-rate attacks (e.g., SlowDoS/slow-rate signatures).

Mitigation and prevention

• Reverse proxies / CDN / cloud DDoS protection: terminate and filter connections before they reach origin.
• Web server tuning: reduce per-connection timeouts, limit header/body upload time, increase max concurrent connections strategically.
• Rate- and anomaly-based WAF rules: block clients with many slow or incomplete requests.
• Connection limits and per-IP concurrency caps (with care to avoid blocking legitimate users behind NAT).
• Use asynchronous/event-driven servers (e.g., NGINX, Node with proper configuration) that handle many concurrent slow clients more efficiently than thread-per-connection servers.
• Network-layer mitigations: reset suspicious long-lived connections, employ SYN cookies for handshake abuse.
• Monitoring + automated response: detect slow patterns and terminate or challenge (CAPTCHA, TLS renegotiation) suspect flows.

Short checklist to implement now

1. Add monitoring for connection duration, per-connection byte rate, and incomplete HTTP requests.
2. Lower server timeouts for headers/body reads; configure reasonable minimum throughput thresholds.
3. Put a reverse proxy/CDN in front of origins.
4. Enforce per-IP connection and request-rate limits; log and block suspicious clients.
5. Prefer event-driven servers or scale thread pools with autoscaling as a fallback.
6. Test with simulated slow-rate attacks to validate detection and mitigation.

Sources: Cloudflare, Akamai, NETSCOUT, ntop (industry guidance and detection notes).