Improve your site with free and paid apps:

Cloudflare Developer Fund

Cloudflare and world class investment firms invest $100 Million to deliver powerful tools for the Internet. The Cloudflare Developer Fund is looking for companies that are building apps on Cloudflare’s platform.

Low and Slow Attack

A Low And Slow attack is a DDoS attack that aims to stop a web service using extremely slow HTTP or TCP traffic.

Common DDoS Attacks
DDoS Attack Tools
DDoS Glossary of Terms

Low and SLow Attack

Learning Objectives

After reading this article you will be able to:

  • Define a low and slow attack
  • Describe how low and slow attacks work
  • Know how to mitigate low and slow attacks

What is a low and slow attack?

A low and slow attack is a type of DoS or DDoS attack that relies on a small stream of very slow traffic which can target application or server resources. Unlike more traditional brute-force attacks, low and slow attacks require very little bandwidth and can be hard to mitigate, as they generate traffic that is very difficult to distinguish from normal traffic. Because they don’t require a lot of resources to pull off, low and slow attacks can be successfully launched using a single computer; two of the most popular tools for launching a low and slow attack are called Slowloris and R.U.D.Y.

How does a low and slow attack work?

Low and slow attacks target thread-based web servers with the aim of tying up every thread with slow requests, thereby preventing genuine users from accessing the service. This is accomplished by transmitting data very slowly, but just fast enough to prevent the server from timing out. Think of a 4-lane bridge with a tollbooth for each lane. Drivers pull up to the tollbooth, hand over a bill or a handful of coins, and then drive across the bridge, opening up the lane to the next driver. Now imagine four drivers showing up at once and occupying every open lane while they each slowly hand pennies over to the tollbooth operator, one coin at a time, clogging up all available lanes for hours and preventing other drivers from getting through. This incredibly frustrating scenario is very similar to how a low and slow attack works.

Attackers can use HTTP headers, HTTP post requests, or TCP traffic to carry out low and slow attacks. Here are 3 common attack examples:

  • The Slowloris tool connects to a server and then slowly sends partial HTTP headers. This causes the server to keep the connection open so that it can receive the rest of the headers, tying up the thread.
  • Another tool called R.U.D.Y. (R-U-DEAD-YET?) generates HTTP post requests to fill out form fields. It tells the servers how much data to expect, but then sends that data in very slowly. The server keeps the connection open because it is anticipating more data
  • Yet another type of low and slow attack is the Sockstress attack, which exploits a vulnerability in the TCP/IP 3-way handshake, creating an indefinite connection.

How to stop a low and slow attack?

The rate detection techniques used to stop traditional DDoS attacks won’t pick up on a low and slow attack. One way to mitigate a low and slow attack is to upgrade your server availability; the more connections your server can simultaneously maintain, the more difficult it will be for an attack to clog your server. The problem with this approach is that an attacker can attempt to scale their attack to meet your server’s availability. Another solution is reverse-proxy based protection, which will mitigate low and slow attacks before they ever reach your origin server. Learn about Cloudflare’s cloud-based DDoS protection.