Low-rate attacks

Low-rate attacks are focused on bringing a target down quietly. This is very different to high rate brute-force attacks. These attacks leave connections open on the target by creating a relatively low number of connections over a period of time and leaving those sessions open for as long as possible. A famous example of these types of attacks is the Slowloris tool, which allows an attacker to take down a victim's web server with minimal bandwidth requirements and without launching numerous connections at the same time.

Slowloris is an application layer (Layer-7) DDoS attack which operates by utilizing valid partial HTTP requests. The attacker sends HTTP headers with opening connections to a targeted web server and then keeps those connections open for as long as possible, but never completes a request. To avoid connection timeout, the attacker periodically sends another set of partial request headers to the target in order to keep the request alive. This ultimately overflows the maximum concurrent connection pool, and leads to denial of service for subsequent connections from legitimate users.

Mitigation:

• Increase server availability
• Rate limit incoming requests
• Limit the number of connections coming from one IP address.