SOLUTIONS
Deliver Superior Online Experiences
Mitigate DDoS Attacks Stop Malicious Bot Abuse Accelerate Internet Applications Ensure Application Availability Optimize Web Experiences Stream Videos On-Demand Superior Online Experience for China Users
Secure Employee Applications and Devices
Deliver Zero Trust Access to Applications Implement Secure Access Service Edge (SASE) Protect Users Accessing the Internet Protect Corporate Networks Manage Secure Contractor Access Replace Virtual Private Networks (VPNs) Secure Your Remote Workforce Stop Zero Day Attacks with Browser Isolation
 
Protect and Accelerate Networks
Cloudflare's Network Services Mitigate L3 DDoS Attacks Connect network infrastructure with Cloudflare Transform Corporate Networks
Code on the Network Edge
Build a Serverless Application Deploy a Static Website Configure a CDN Define Conditional Request Routing
Manage a Secure Cloud
Secure Hybrid, Cloud, & SaaS Platforms Enable SSL for SaaS Applications Reduce Cloud Data Transfer Costs
Register a Website
Register or Transfer a Website
INDUSTRIES
eCommerce Financial Services Gaming Healthcare and Life Sciences Media and Entertainment Public Sector SaaS Education
PUBLIC INTEREST
Election Campaigns Athenian Project Project Galileo Project Fair Shot
FOR INFRASTRUCTURE
Application & Network Security
API Shield Bot Management DDoS Protection Magic Transit Magic WAN Network Interconnect Rate Limiting TCP / UDP Applications SSL / TLS SSL/TLS for SaaS Providers WAF
Performance & Reliability
Argo Smart Routing CDN China Network DNS Load Balancing Stream Delivery Waiting Room
FOR TEAMS
Cloudflare for Teams Access Gateway Browser Isolation
FOR DEVELOPERS
Serverless Applications
Cloudflare Workers Cloudflare Workers KV
Domain Registration
Cloudflare Registrar
Website Development
Cloudflare Pages Cloudflare Stream
SaaS Developers
Cloudflare for SaaS
FOR EVERYONE
1.1.1.1 1.1.1.1 with WARP (App) 1.1.1.1 for Families
INSIGHTS
Analytics Cloudflare Logs Web Analytics Cloudflare Radar
PRIVACY
Data Localization Compliance
FOR INFRASTRUCTURE
Advanced Security
Bot Management Firewall rules Magic Transit Spectrum (TCP/UDP) SSL WAF
Performance & Reliability
CDN DNS Image Resizing Load Balancing Stream (Video)
 
Insights
Analytics
Domain Registration
Registrar
FOR SERVERLESS APPLICATIONS
Workers Quick Start Cloudflare Pages Sample Workers Projects Workers Tutorials Command-line (Wrangler) Runtime
FOR TEAMS
Cloudflare for Teams
EXPLORE CLOUDFLARE API
Cloudflare API API Authentication
DOCUMENTATION HUB
Dev Documentation Hub
RESOURCES
Resource Hub Whitepapers Webinars Solutions & Product Guides Case Studies Analysts
EXPLORE
What's New? Network Map Cloudflare in China GDPR
GET STARTED
Register Your Website Welcome Center Get Help
LEARN
Learning Center Security DDoS Bot Management SSL Identity and Access Management Performance CDN DNS Cloud Serverless Network Layer
CONNECT
Blog Community
TRUST
Trust Hub Privacy & Data Protection Certifications Trust & Safety GDPR Legal Documentation
CONTACT
+1 650 319 8930
CHANNEL & ALLIANCE PARTNERS
Partner Network Partner Portal
TECHNOLOGY PARTNERS
Overview Analytics Partners Bandwidth Alliance Endpoint Security Partnerships Interconnect Partnerships Network On-ramp Partnerships Peering Portal
PRICING BY PLAN
Free Pro Business Enterprise
COMPARE AND EXPLORE
Need Help Choosing a Plan? Add Ons Compare All Plans

Low and Slow Attack

A Low And Slow attack is a DDoS attack that aims to stop a web service using extremely slow HTTP or TCP traffic.

Share facebook icon linkedin icon twitter icon email icon
What is a DDoS Attack?
What is a Botnet?
Common DDoS Attacks
DDoS Attack Tools
DDoS Glossary of Terms
Famous DDoS Attacks
Memcached DDoS Attack
NTP Amplification Attack
DNS Amplification Attack
SSDP Attack
DNS Flood
HTTP Flood
SYN Flood Attack
UDP Flood Attack
Ping (ICMP) Flood Attack
Low and Slow Attack
Application Layer Attack
Cryptocurrency Attacks
Smurf Attack (historic)
Ping of Death (historic)
How to DDoS
Low Orbit Ion Cannon
High Orbit Ion Cannon
R U Dead Yet? (R.U.D.Y.)
Slowloris Attack
DDoS Booter/IP Stresser
DDoS Mitigation
Blackhole Routing
Denial Of Service
DNS
HTTP
ICMP
IP Spoofing
Malware
OSI Model
TCP/IP
UDP
WAF
Internet Of Things (IOT)
Mirai Botnet
Internet Protocol (IP)

Low and Slow Attack

Learning Objectives

After reading this article you will be able to:

  • Define a low and slow attack
  • Describe how low and slow attacks work
  • Know how to mitigate low and slow attacks

Related Content

R U Dead Yet (R.U.D.Y.)

Slowloris DDoS Attack

Web Application Firewall (WAF)

Ping Flood Attack

How To DDoS

What is a low and slow attack?

A low and slow attack is a type of DoS or DDoS attack that relies on a small stream of very slow traffic which can target application or server resources. Unlike more traditional brute-force attacks, low and slow attacks require very little bandwidth and can be hard to mitigate, as they generate traffic that is very difficult to distinguish from normal traffic. Because they don’t require a lot of resources to pull off, low and slow attacks can be successfully launched using a single computer; two of the most popular tools for launching a low and slow attack are called Slowloris and R.U.D.Y.

How does a low and slow attack work?

Low and slow attacks target thread-based web servers with the aim of tying up every thread with slow requests, thereby preventing genuine users from accessing the service. This is accomplished by transmitting data very slowly, but just fast enough to prevent the server from timing out. Think of a 4-lane bridge with a tollbooth for each lane. Drivers pull up to the tollbooth, hand over a bill or a handful of coins, and then drive across the bridge, opening up the lane to the next driver. Now imagine four drivers showing up at once and occupying every open lane while they each slowly hand pennies over to the tollbooth operator, one coin at a time, clogging up all available lanes for hours and preventing other drivers from getting through. This incredibly frustrating scenario is very similar to how a low and slow attack works.

Attackers can use HTTP headers, HTTP post requests, or TCP traffic to carry out low and slow attacks. Here are 3 common attack examples:

  • The Slowloris tool connects to a server and then slowly sends partial HTTP headers. This causes the server to keep the connection open so that it can receive the rest of the headers, tying up the thread.
  • Another tool called R.U.D.Y. (R-U-DEAD-YET?) generates HTTP post requests to fill out form fields. It tells the servers how much data to expect, but then sends that data in very slowly. The server keeps the connection open because it is anticipating more data
  • Yet another type of low and slow attack is the Sockstress attack, which exploits a vulnerability in the TCP/IP 3-way handshake, creating an indefinite connection.

How to stop a low and slow attack?

The rate detection techniques used to stop traditional DDoS attacks won’t pick up on a low and slow attack. One way to mitigate a low and slow attack is to upgrade your server availability; the more connections your server can simultaneously maintain, the more difficult it will be for an attack to clog your server. The problem with this approach is that an attacker can attempt to scale their attack to meet your server’s availability. Another solution is reverse-proxy based protection, which will mitigate low and slow attacks before they ever reach your origin server. Learn about how Cloudflare’s cloud-based DDoS protection can mitigate slow and low attacks.

Previous Lesson: Ping (ICMP) Flood Attack

Next Lesson: Application Layer DDoS Attack

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.