Skip to main content

Overview

HTTP Slowloris is a low-bandwidth, high-impact denial of service attack that keeps HTTP connections open for as long as possible by sending partial HTTP requests. Unlike volumetric attacks, Slowloris requires minimal bandwidth and can take down a server with just a few hundred concurrent connections.
This attack exploits how web servers handle concurrent connections, not bandwidth.

How it works

The Slowloris attack operates by:
  1. Connection Establishment: Opens raw TCP or TLS connection to the target server
  2. Partial Request: Sends incomplete HTTP headers: 
    GET / HTTP/1.1\r\n
Host: example.com\r\n
User-Agent: Mozilla/5.0...\r\n
Accept: */*\r\n
Connection: keep-alive\r\n
  3. Slow Drip: Sends headers one at a time with delays between each
  4. Keep-Alive Headers: Periodically sends X-a: b\r\n to keep connection alive
  5. Never Complete: Intentionally never sends the final \r\n\r\n to complete the request
  6. Connection Pool Exhaustion: Server keeps connections open waiting for complete headers
  7. Concurrent Threads: Multiple threads each maintain slow connections

Attack flow

When to use

Slowloris is effective for:
  • Connection limit testing: Test server’s maximum concurrent connection handling
  • Timeout configuration validation: Verify proper timeout settings
  • Resource exhaustion scenarios: Simulate attacks that exhaust file descriptors/sockets
  • Load balancer testing: Test if load balancers properly detect and close slow connections
  • Low-bandwidth attack simulation: Demonstrate that DDoS doesn’t always mean high traffic
This attack can effectively DoS a server with minimal resources. Only use on systems you own or have explicit permission to test.

Usage

Basic Slowloris attack: 
mmb attack http_slowloris https://example.com
With optimized parameters for maximum impact: 
mmb attack http_slowloris https://example.com \
  --duration 300 \
  --delay 5000 \
  --threads 500 \
  --verbose

Parameters

target
string
required
Target URL including protocol (http:// or https://)
--duration
int
default:"60"
Attack duration in seconds. Longer durations are more effective.
--delay
int
default:"500"
Delay between header packets in milliseconds. Higher = slower drip = longer connections.
--packet-size
int
default:"512"
Not used in Slowloris (kept for API consistency)
--threads
int
default:"0"
Number of concurrent slow connections (0 = number of CPU cores). Higher is more effective.
--verbose
boolean
default:"false"
Show detailed logs for each slow connection established
--no-proxy
boolean
default:"false"
Allow running without proxies. Note: Your IP will be exposed.

Expected behavior

Console output

Standard mode: 
Starting http_slowloris against https://example.com with 100 proxies
23:15:30 PPS:47 Total:47 Proxies:100
23:15:31 PPS:52 Total:99 Proxies:100
23:15:32 PPS:49 Total:148 Proxies:100
Verbose mode: 
Starting http_slowloris against https://example.com with 100 proxies
Verbose mode enabled - showing detailed attack logs
23:15:30 PPS:47 Total:47 Proxies:100 [SOCKS5 proxy.example.com:1080 -> https://example.com]
23:15:31 PPS:52 Total:99 Proxies:100 [HTTP proxy2.example.com:3128 -> https://example.com]

Connection behavior

  • Initial connection: Quick TCP/TLS handshake
  • Header drip rate: One header per --delay milliseconds
  • Keep-alive interval: X-a: b header sent every --delay milliseconds after initial headers
  • Connection lifetime: Remains open until server timeout or attack stops
  • Resource usage: Minimal bandwidth, moderate memory per connection

Technical implementation

Implementation details from internal/attacks/http/slowloris.go:20-87:
  • Raw socket usage: Opens TCP/TLS connections directly (not via HTTP client)
  • Protocol detection: Uses tcp scheme for HTTP, tls scheme for HTTPS
  • Port handling: Defaults to 80 (HTTP) or 443 (HTTPS) if not specified
  • Proxy support: Routes through SOCKS/HTTP proxies when available
  • Goroutine per connection: Each connection runs in separate goroutine
  • Buffered writer: Uses bufio.Writer for controlled header sending
  • Context awareness: Respects cancellation for graceful shutdown

Header sequence

headers := []string{
    "Host: " + host,
    "User-Agent: " + pickUA(ua),
    "Accept: */*",
    "Connection: keep-alive",
}
Each header is sent with flush and delay: 
bw.WriteString(h + "\r\n")
bw.Flush()
time.Sleep(params.PacketDelay)

Optimization strategies

  • Increase --threads to 500-1000 for maximum concurrent connections
  • Use --delay 5000 (5 seconds) to keep connections open longer
  • Longer --duration ensures connections stay active
  • More proxies = more unique source IPs = harder to block
  • Lower --threads (50-100) for stealthier attacks
  • Higher --delay (10000ms+) for slower, harder-to-detect drip
  • Use residential proxies to avoid data center IP blocking
  • Combine with other traffic for camouflage
  • Each thread maintains one slow connection at a time
  • Memory usage: ~4-8KB per active connection
  • CPU usage: Minimal (mostly idle waiting)
  • Network: ~100 bytes per second per connection
  • Monitor for incomplete HTTP requests
  • Track connection duration averages
  • Alert on high count of ESTABLISHED connections
  • Implement aggressive timeouts for header completion

Mitigation techniques

If you’re defending against Slowloris:
1

Implement request timeouts

Configure aggressive timeouts for incomplete HTTP requests (5-10 seconds).
2

Limit connections per IP

Restrict concurrent connections from single IP addresses.
3

Use reverse proxy

Deploy nginx, HAProxy, or similar to buffer requests before reaching application servers.
4

Enable ModSecurity or WAF

Configure rules to detect and block slow HTTP attacks.
5

Monitor connection states

Alert when ESTABLISHED connections exceed thresholds.

Server-specific vulnerabilities

Vulnerable servers:
  • Apache HTTP Server (without mod_reqtimeout)
  • Basic Python/Node.js HTTP servers
  • Misconfigured IIS servers
Resistant servers:
  • nginx (proper timeout config)
  • Apache with mod_reqtimeout
  • HAProxy / Cloudflare / CDNs with DDoS protection

Real-world example

Testing connection limit on Apache server: 
# Start with moderate settings
mmb attack http_slowloris https://test-server.example.com \
  --threads 200 \
  --delay 3000 \
  --duration 120 \
  --verbose

# Monitor server:
# watch -n 1 'netstat -an | grep :80 | grep ESTABLISHED | wc -l'

# Observe when server stops accepting new connections
# (MaxClients or connection limit reached)

HTTP Flood

High-volume HTTP request attack

HTTP Bypass

Stealth HTTP attack with browser mimicry

TCP Flood

Layer 4 TCP connection flood

Build docs developers (and LLMs) love

Get started for freeTalk to us