A Slowloris DDoS (Distributed Denial of Service) attack is a type of cyberattack that targets Layer 7 of the OSI (Open Systems Interconnection) model, specifically aiming to disrupt the availability of web services. Named after the slow-moving Asian primate, the slow loris, this attack method is designed to overwhelm a target, such as a computer, web server, database, or API, by opening and maintaining a large number of simultaneous TCP (Transmission Control Protocol) connections to the target’s fully qualified domain name (FQDN).
The hallmark of a Slowloris attack is its ability to generate a low rate and/or volumes of HTTP requests or connections per connected session. By doing so, it consumes the target’s resources without necessarily requiring a high bandwidth. Some attacking IPs may open numerous TCP connection attempts and use these additional open connections or sessions to combine incoming requests, further exhausting the application or database resources.
Slowloris attacks are particularly insidious because they can last for an extended period when undetected. They are often difficult to identify and mitigate because the attack traffic can mimic legitimate traffic, making it challenging for traditional security measures to distinguish between normal and malicious activity.
The technique of Slowloris attacks was popularized by common attack tool frameworks such as HOIC (High Orbit Ion Cannon) and LOIC (Low Orbit Ion Cannon), which were used by various threat actor groups, including Anonymous, the Iranian government, and Killnet. These tools made it easier for attackers to launch Slowloris attacks with minimal technical expertise.
Today, the technique continues to be employed by various threat actors, who leverage modernized infrastructure and command-and-control systems to carry out these attacks. As a result, organizations need to implement advanced security measures, such as application-layer firewalls and rate limiting, to detect and mitigate Slowloris attacks effectively and protect their web services from downtime and disruption.