Understanding the Slowloris Attack — And Why It Still Matters
In the world of cybersecurity, not all attacks are loud and obvious. Some, like the Slowloris attack, are deceptively quiet — but just as dangerous. What is a Slowloris Attack?
A Slowloris attack is a type of Denial-of-Service (DoS) attack that targets web servers, especially those like Apache. Instead of flooding the server with traffic, it opens many connections very slowly and keeps them open by sending partial HTTP requests at intervals — just enough to keep the server waiting.
Over time, the server becomes overwhelmed, unable to handle legitimate requests, because all its connection slots are occupied by these “half-open” connections. Why is it Effective?
- Low bandwidth required: An attacker can bring down a server using just a single machine.
- Hard to detect: It doesn’t spike traffic, making it stealthier than typical DoS methods.
- Exploits default configurations: Many servers aren’t hardened against slow clients.
Mitigating the Risk
Protecting against Slowloris involves configuring your web server to not be so patient. For Apache, this means:
- Setting Timeout and KeepAlive to reasonable values
- Using mod_reqtimeout to drop slow connections
- Disabling KeepAlive if not needed
Final Thoughts
Slowloris may be an old trick, but it remains relevant — especially when default server settings are left untouched. A small tweak in your configuration today can save you from unexpected downtime tomorrow.